[ARC] Risk Parameter Recommendations for Aave V2 ETH (2022-11-22)

To be fair, Avi probably lost today much more than Aave did, so it is not the text book definition of an economical exploit.

Agreed, but crypto Twitter loves the drama and created a lot of FUD around this situation. At the end of the day, his “attack” is the reason why Gauntlet woke up from their nap and is pushing for this proposal.

Here’s a breakdown of the total supplied/borrowed amount for each asset in this proposal (as of November 22, 2022).

Total Supplied = $180.1 million (mainly CRV, MKR, YFI, ZRX, and xSUSHI)

Total Borrowed = $83.2 million (mainly CRV, MKR, and stablecoins like GUSD, LUSD, and sUSD).

image1340×1024 107 KB

We are pleased to see the community taking the important first step to further manage risk following today’s events on the protocol, especially with rigour. This is a strong first step for the DAO as it works towards a community-led solution.

hello @Pauljlei

i’ve been watching you closely. allow me to welcome you back to Aave

who called you here? @AaveLabs? my friends, above and below, are angry

astute timing. let the party begin // your renewal is soon on-chain

@tarun you’ve been quiet as your boys run loose. i miss you

thousands of readers visit the forum everyday. and users of the markets. who i am? am I one of them?

While this could have been worse - in terms of bad debt - it is an important reminder of the value of risk management. Additionally, today’s chaos is a reminder of how public our protocols health is.

Transparency can be a strength of the protocol and other days, a weakness. Publicity of this “trading strategy” drew more eyes, attention, and negative sentiment toward the protocol’s native token.

I would also not be surprised if Avi is reading this - so hey, well done.

We are supportive of changes proposed by @Pauljlei and V3 supply caps by @OriN and encourage more proactive efforts, preparing users for the deployment of V3 mainnet.

There seem to be more reminders; the sooner this market is released - the more control we may have. @bgdlabs we will work alongside you to make this process easier, including today’s proposal.

I am grateful for discussions happening in parallel such as @monet-supply’s thread. Today, and any day working alongside a DAO is a reminder of improving processes and controls

Recommendation looks a bit strange in two ways.

• Probably better to just disable borrowing those assets because it’s borrow side which is vulnerable. Borrowing against those is good with 45-55% LTV (whatever current parameters are);
• GUSD looks a little bit strange in the list given that it’s redeemable. sUSD and LUSD have some decent liquidity also, but that can be argued.
• AAVE, UNI and LINK are no different from all the assets in the list, strange that it is not in the recommendation.

Agree on adding LINK and also even UNI. AAVE cannot be borrowed at this point so doesn’t pose the same exposure.

Can it be just done to all assets that they cannot be borrowed (but can be used as collateral), or it cannot be done in Aave v2?

Generally agree with the proposed changes, which should provide immediate mitigation of risk from long tail assets outweighing impact on UX.

For certain stable assets, I think there may be mitigating factors that reduce the need for freezing reserves. GUSD and USDP are redeemable/mintable for fiat, which should nearly eliminate the risk of significant price deviations. LUSD can be redeemed for ETH with a 0.5% fee, and can be minted against ETH at 110% collateral ratio, which effectively soft pegs the price within $0.995 to $1.1, also limiting risk. These assets are not accepted as collateral which further reduces risk. Given these mitigating factors I think it could be suitable to unfreeze these assets in the near future. (sUSD and RAI also have strong stabilization incentives, but in the short run don’t have as strong of liquidity effects which could leave them vulnerable to manipulation)

On the other hand, it could make sense to freeze reserves for SNX and ENS in the future as well due to limited liquidity.

Lastly, it could be possible to reenable certain assets if other risk conditions improve (eg lower maximum liquidation thresholds across other assets such as DAI/USDC/ETH, lower total borrow and supply of long tail assets, improving market liquidity).

Although the risk profiles of LINK and UNI are lower than the assets in AIP 121, the community may elect to pause LINK and UNI borrowing depending on risk preference. We have published AIP 122 and AIP 123.

Sorry if this is a noob question, but what risk does an asset disabled as collateral, such as LUSD pose in such a scenario?

If the risk is minimized by disabling collateral (like it is already on LUSD), then switching the other concerned assets to borrowing-only might be preferable.

While I understand the need to take serious action, I am also worried the community might be overreacting. I think that taking the same actions against 15ish tokens listed on Aave is a good tell of that: the better path forward is probably more aware of the specificities of each token, as @monet-supply was highlighting in his last reply:

Hi all,
I am a bit surprised by the excessive decision. While emergency measures have to be taken, the problem has been accurately identified (LTV too high for some long tail assets) and lowering LTVs should be enough. I believe this is especially valid for the stablecoins mentioned above.

Unless, Gauntlet believes there are other systemic risks cause by these assets, but we would need more context to make such decision.

I’d like to add that in the current market, disabling all these long tail assets will just play into other lending protocol’s game, and lower Aave’s leadership.

From my perspective, it is a bit concerning the usage of the mechanisms of the v2 protocol following the approach of killing flies with bazookas.
Yes, it is clear (and really important that the community knows) that v3 is the most straightforward solution. But even if this past event is painful, that doesn’t mean we should boil down to irrationality.

It is important for the community to understand that the issue causing the CRV event is almost not because of CRV itself, it is because of the USDC Liquidation Threshold and Bonus configurations, which have been raised in previous periodic risk governance proposals.
A reaction of generalized freezing cuts that risk obviously, but sounds completely generic, as the main point is, in front any doubt, to cut borrowing of volatile assets.

• CRV has a 61% Liquidation Threshold and an 8% liquidation bonus. That means it can absorb collateral important shocks, being quite healthy liquidity-wise (I think it is clear from yesterday, right?).
  In addition, there is no reason to think there could be any problem with infinite minting or similar in CRV, that is clear I assume.
  Removing the supply side of CRV makes 0 sense, just shows no confidence in the 61% Liquidation Threshold.

• On GUSD, I don’t really see the rationale, it is supposed to be backed, no? In addition, it is only enabled as a borrowing asset.

• LUSD freezing makes no sense, given what @TokenBrice mentions of his usage as only-borrowing (pretty healthy usage I would say, even if the size is not so big), and checking the fundamentals described HERE

• sUSD is an only-borrowing asset, with a quite strong system of peg control behind it. Not sure which is the rationale, even assuming a price manipulation on the borrowing side, given the tremendous arbitrage that would be open.

• USDP is reserves-backed and, from what I know, regulated/oversight by the NYSDFS (New York State Department of Financial Services). An only-borrowing asset too. If the rationale is its small size, it is an option. In terms of risk, I see 0 reasons. Because by this rule we should freeze USDC too.

• 1INCH, 50% liquidation threshold, fairly liquid. Should not be enabled to borrow if so, the supply side doesn’t seem problematic.

• BAT is already not enabled to borrow, fairly liquid on supply side (collateral) risk, depending on what your simulations show @Pauljlei

• DPI, is not enabled to borrow already. And as mentioned multiple times already on the community priced on underlying

• ENJ, should not be enabled to borrow and probably lower the liquidation threshold. then, about the fundamental value of it in the protocol, I question it.

• ENS, should not be enabled to borrow, 60% Liquidation Threshold, which sounds perfectly ok.

• LINK disabling borrowing sounds legit, same for UNI.

• MANA, is probably too high a Liquidation Threshold; disabling borrowing sounds legit, removing the supply side, not sure.

• MKR, is similar case to MANA, but with 1) stronger fundamentals in my opinion (kind of clear) 2) both an important partner and a really big historic size. Removing borrowing makes sense, removing supply does not.

• RAI, agree with freezing, should have been done before.

• SNX borrowing?

• renFIL. Clear freezing, but for different reasons than the market.

• UNI, following others’ approach, disabling borrowing is clear.

• xSUSHI, borrowing is disabled and priced based on SUSHI, so freezing is debatable (there have been good numbers of xSUSHI historically, and still are).

• YFI, borrowing should be disabled, but supply side I’m not fully sure, probably the main issue is having Liquidation Threshold a bit too high, but on this no opinion.

• ZRX, I think freezing is acceptable, as there have been some past price manipulation attempts.

It is not the first time that this happens: some event shows substantial risk in the protocol, and the reaction is to try to throw everything out of the window. This is not really acceptable, because I expect a bit more “surgical precision” (disabling borrowing of every volatile?) from the entities participating in risk on the community, or at least, having though more before increasing the liquidation threshold of stablecoins on a pool like Aave, which only and exclusive use case at the current moment is to basically attack the protocol via really aggressive shortings.

Right now, the community has 2 options:

1. Try to act fast and accept the proposed freezing, with the policy “well, it is something”
2. Not agreeing with the proposal, but risking no-action adding any risk to the protocol.

Obviously, 2) is kind of a forced decision.

Re GUSD, right now it is possible to buy GUSD from the DAI’s PSM, but not the other way around? Is $0.5B the hard cap for GUSD PSM?
This means that as a debt asset GUSD is very liquid, right? And it will be very expensive to pump it’s price.

Fiat redemption/minting might take long time, and chainlink oracle might get updated long before the process is completed.

Great step especially with the market conditions and v3 around the corner. All for it.

Also, I’d like to ask the Aave governance to ponder one of the key driving components in this attack: the absolute preferential treatment given to USDC, both in terms of Liquidity Mining when it was a thing, but also in the collateral parameters.

The CRV scenario we saw yesterday is primarily due to USDC’s very permissive LTV (87%) - so if we want to take broad measures to risk off the Aave Protocol, I’d start by lowering USDC LTV.

The current setting means that only a ~11% increase of the borrowed token price is enough to go into bad debt territory (assuming USDC collateral and max borrow). Every % we can grab here would have a massive impact.

So if we are worried about a scenario like yesterday unfolding again, I think the most immediate and effective measure we can take is to lower USDC and other stablecoins collateral ratios: 80% should be the upper bond until the additional guarantees offered by v3 are available.

Glad to see to community active and discussing this proposal.

there’s an element of time sensitivity in current situation, as there’s some debate alongside this proposal would the community consider the following:

1. Quick AIP to mitigate risk :

• USDC LTV 78% LT 80% rest unchanged
• DAI LTV 78% LT 80% rest unchanged
• disable CRV borrowing; rest unchanged

publish this small-scope AIP in the immediate term

2. Continue this productive discussion here over the next few days and fine-tune a larger scope AIP including more assets risk parameters updates.

Given the uncertainty in the market, I think all scenarios should include disabling borrowing of all volatile assets apart from WETH and WBTC, because disabling CRV at the moment is arbitrary, given that the risk is not created by CRV itself, but by stable collaterals.
Then, about reducing LT, if applying the previous disabling of borrowing, it is not even so urgent. The system is not exploitable anyhow. We should really be mindful of potential liquidations by reducing aggressively LT though.

1. Given the attack vectors, is it worth considering ultimately incentivizing a move to V3?

2. Why are only some of the assets subject to more risk than others?

3. Is there a way to speed up governance to quickly jump on these types of changes in the face of exploiters like Avi Eisen? It seems that this proposal process and waiting on Gauntlet to make these proposals takes too long and renders Aave as potentially vulnerable to future exploits.