Aave v2/v3 Security Incident Risk Analysis
Summary
On 2023-11-04, v2 Ethereum was paused and certain assets on V3 Polygon, Arbitrum, Optimism were frozen in order to protect the protocol from a vulnerability. As a result, positions may become at risk for accruing bad debt, given that liquidations / debt repayment / collateral refill have been paused.
The situation presents a number of uncertainties with regards to the amount of time v2 will be paused and spikes in volatility and breakdown in asset correlations. Gauntlet computes potential insolvencies under the following scenarios. We include 2 week to unpause scenarios to be prudent in light of other potential delays, and for greater color on how potential insolvency and liquidations may evolve during a pause.
- Time to unpause v2 is 1 week, volatility is 1x historical 1-year volatility.
- Time to unpause v2 is 2 weeks, volatility is 1x historical 1-year volatility.
- Time to unpause v2 is 1 week, volatility is 2x historical 1-year volatility
- Time to unpause v2 is 2 weeks, volatility is 2x historical 1-year volatility
For each scenario, we run 1000 simulations, in each simulation we generate 15-minute returns, extend over 1 or 2 weeks, and compute distribution of insolvencies. The simulations assume -
- (no stablecoin depeg) stablecoins (USDC/USDT/DAI/etc) do not change in price
- (no LST depeg) STETH and WETH price returns mirror each other
We first discuss simulation results, and then touch on our view on the grace period that BGD mentioned previously.
Aave v2 Simulation Results
At a high level, most potential insolvency that may arise could come from borrows against stablecoin collateral, and most potential liquidations may arise out of decorrelation between WETH and WBTC.
Insolvencies_95 and liquidatable_amt_95 represent insolvencies and liquidatable borrows at the 95th percentile out of 1000 simulations. We find that at the 95th percentile, supposing volatility were what was observed in the past year, potentially $5k may become bad debt. Note that Aave has sizable reserves and treasury funds
| days_to_unpause | volatility_multiplier | insolvencies_95 | liquidatable_amt_95 |
|---|---|---|---|
| 7 | 1 | 5k | 32m |
| 7 | 2 | 180k | 35m |
| 14 | 1 | 240k | 35m |
| 14 | 2 | 700k | 37m |
Analysis of higher insolvencies under more pause delay and higher volatility reveals most insolvencies come from stablecoin collateralized CRV borrows. Some simulations model CRV prices increasing, so towards the tail end those CRV borrows may become insolvent.
Should we exclude the CRV borrows -
| days_to_unpause | volatility_multiplier | insolvencies_95 | liquidatable_amt_95 |
|---|---|---|---|
| 7 | 1 | 5k | 32m |
| 7 | 2 | 12K | 35m |
| 14 | 1 | 12k | 35m |
| 14 | 2 | 50k | 37m |
The largest contributors to liquidations at risk come from WBTC borrows. This account becomes eligible for liquidation with a 4% downwards move in WETH/WBTC ratio, and has frequently topped up positions in the past month.
Aave v3 Simulation Results
On v3 Arbitrum, Polygon, Optimism, and Avalanche, USDT, USDC, DAI, EURS have been paused. Both nonstable-collateralized stable debt, as well as stable-collateralized nonstable debt may be at risk, should market move significantly in either direction.
Assuming stablecoins will become unpaused in 1 week, simulating a 2-std move down and up reveals larger potential liquidation volume with a downwards move. At this 95th percentile, insolvency risk remains small.
| chain | direction | new_insolvencies | new_borrows_liquidatable |
|---|---|---|---|
| arbitrum | down | 0 | 860k |
| arbitrum | up | 0 | 360k |
| avalanche | down | 0 | 1.6m |
| avalanche | up | 600 | 240k |
| optimism | down | 0 | 41k |
| optimism | up | 0 | 14k |
| polygon | down | 0 | 600k |
| polygon | up | 900 | 560k |
Conditions for grace period
Determining the viability of the grace period to allow users to repay debt / top up collateral involves tradeoffs between user experience and potential insolvency that may occur during the grace period. Our simulations reveal that under current loanbook, conditions, and governance procedure, adding a 3-hour grace period for users to readjust positions does not add excess risk.
However, for thoroughness, we outline a couple characteristics that can affect the viability of the grace period. We then define two conditions in which we would recommend disabling the grace period.
Characteristics
-
(Buffer to insolvency) Let B be the set of borrows that will become insolvent with a 5-std 3-hour move. If sum(B) > K, where K is some insolvency tolerance, then reconsider grace period.
- If an excess number of liquidatable positions have an increased chance of evolving into bad debt, liquidating them, rather than having a grace period, may improve risk.
- As an example, our simulations show that on the weekly time frame, an additional pause of 1 week increases 99th percentile insolvency by ~$250k (excluding large CRV borrows, see above simulation results).
-
(Increased volatility) Rolling market volatility on 15 minute period leading up to grace period is above n*observed_volatility, where n is a volatility multiplier, then reconsider grace period.
- Increased volatility leading up to grace period may be sticky and induce higher volatility during the grace period, which may affect position buffer to insolvency.
Based on the above characteristics, should either of the following two conditions be met, we recommend disabling the grace period, if the community finds the parameterization acceptable.
Condition A
- (Aave v2) Buffer to insolvency, K = $250k, 5-std 3 hour move
- (Aave v3) Buffer to insolvency, K = $25k, 5-std 3 hour move
Condition B
- (Aave v2) Buffer to insolvency, K = $250k, 2-std 3 hour move
- (Aave v3) Buffer to insolvency, K = $25k, 2-std 3 hour move
- (both) Increased volatility, rolling market volatility > 3 * observed volatility.
- As an example, WETH observed volatility over the past year has been ~45%. Should WETH rolling market volatility over the past half-day be > 135%, coupled with lower buffer to insolvency, this may signal need to deactivate the grace period.
- This would have been breached ~ 7 times in the past year.
We pick $250k for the threshold K for Aave v2 as it represents the additional insolvency risk at the 99th percentile incurred over an additional delay of 1 week, ex ante. Risk exceeding this level at activation of grace period may indicate deteriorated market conditions, in which benefits of liquidation may outweigh impacts to users. We proportionately scale down the threshold for Aave v3 deployments based on TVL.
Price, Rolling standard deviation over half-day, WETH
Next Steps regarding Market Risk
- As mentioned, should either of the above two Conditions be met, we recommend disabling the grace period, if the community finds the parameterization acceptable.
- Welcome community feedback.