Aave v3 Polygon deployment: $GHST token as risk factor to cause bad debt & be exploited for price manipulation
This forum post is published by nonstopTheo on behalf of Riskdao.org
$GHST is a potential risk factor for Aave’s v3 Polygon deployment. While low LTV ratio somewhat mitigates a price manipulation attack, there is a question mark on how well an underwater account with $GHST debt could be liquidated. It is a small cap asset that might cause problems in the following ways:
- $GHST as borrow asset: The protocol will struggle to liquidate positions where users borrow GHST. If the price increases materially, the protocol won’t be able to liquidate the collateral asset for GHST, accruing bad debt.
- $GHST as collateral: Become the center of a price manipulation attack, similar to what happened with Mango and Moola Markets recently. There is about $69m in available liquidity on Aave v3 Polygon which is an attractive target.
In this article, we show how the need to liquidate a $825k loan of $GHST can cause a 2x increase in Aave platform-wide bad debt. And analyze the risk ofAave v3’s Polygon deployment to fall victim to price manipulations that have wreaked havoc at Mango Markets, Moola Markets and Venus Protocol.
We conclude by suggesting Aave to put in place supply & borrow caps for $GHST to mitigate any potential attacks.
Overview
Aave’s v3 deployment on Polygon holds about $100m in TVL of which $69m are not utilized. This provides a highly attractive honeypot for any malicious actor.
Source: app.aave.com
Of that $69m, $50m are highly liquid stablecoins or large cap tokens like ETH, BTC and MATIC.
Source: app.aave.com | Selection of top assets on Aave v3 (Polygon)
$GHST Aavegotchi
Among the assets, $GHST stands out as a potential risk vector: It’s a small cap asset with a market cap of $45m and minimal trading volume yet has an uncapped “reserve size”.
A look at CoinGecko reveals relatively thin trading activity across major CEX pairs. Huobi & OKX even show +2% slippage for less than $1,000 trade sizes! Which indicates their reported trading volume is likely fake.
Source: CoinGecko (20 October, 10:30am GMT)
DEX liquidity appears even thinner than what CoinGecko data suggests. Both 1inch.io and Quickswap quote 5.5%-6% slippage for a $150k trade.
$GHST has no reserve limit, contrary to many other assets on the Aave v3 market. However, the LTV is capped at a relatively low level of 25%.
Utilization rate and interest income are relatively low.
Potential problems for Aave v3
Inability to liquidate $GHST borrow position, causing bad debt
The thin DEX liquidity is cause for concern for $GHST as a borrowed asset which could potentially cause material bad debt.
Liquidations, i.e. purchases of $GHST in return for the collateral asset, would cause material price increases.
On a normal weekday, $1m of USDC buy order causes a 40% price increase. If liquidations are caused by rising $GHST prices, these liquidiations would add further buy pressure, pumping the price. A $2m buy order would send the price to $2.02 from current levels.
The below graphic helps visualize how bad debt would accrue to Aave. We assume a user that deposits USDC 1m as collateral to borrow $GHST.
In the outlined scenario Aave would be stuck with bad debt to the tune of $450k. Looking at the RiskDAO bad debt dashboard, this would be a doubling of platform-wide bad debt. Caused by a $0.83m borrow position in $GHST which is an immaterial revenue contributor to Aave.
Price manipulation attack
Recent activity has shown that price manipulation attacks are a realistic threat to any lending protocol.
Attackers do not even shy away from identifying themselves, pretending to operate in a law-free environment. This has brought more attention to price manipulations as “highly profitable trading strategies” that could also target blue-chip protocols like Aave.
$69m in available liquidity is highly attractive to any attacker.
Looking at the Binance order book, an attacker can pump the price to $7, and clear the entire ask-side of the book, with as little as $2.1m (snapshot: 20 Oct noon GMT).
That is a 6x increase vs current prices of $1.15.
Sophisticated attackers can exploit the thin liquidity and trading activity, especially during low trading periods (e.g. weekends).
24hrs trading volume on the main DEX Quickswap has been on a steady downward trajectory over the last month and oscillating between $30k-150k recently.
Looking at the trading activity, it is apparent that there are windows of opportunities where an attacker can artificially inflate the $GHST with a limited bankroll.
Notwithstanding the low LTV of 25%, this could potentially be successful to drain significant parts of the lending market’s liquidity.
Conclusion
Aave v3 is facing new challenges in this tough market environment. Trading volumes are steadily decreasing and attackers are looking for opportunities to exploit loopholes.
$GHST as an asset is a clear outlier on Aave v3 Polygon markets due to the small size and low trading volumes. Given the new realities in DeFi, we would urge the Aave community & team to put safeguards in place to protect from adverse actions. Specifically, we suggest capping both the supply and demand side of the GHST markets at current levels (ie no further $GHST can be supplied or borrowed).
By following this recommendation, the protocol’s stability will be hardened without compromising revenue growth: The GHST market is not a major revenue generator and thus we don’t consider the current risk-return profile appropriate.