MakerDAO Loans Can Be Gamed to Hold Out Funds From Liquidation, Startup Finds
Borrowers can close debt positions on lending platform MakerDAO under the 150% collateral minimum with this one simple trick.
A loophole in MakerDAO’s collateralized debt positions (CDPs) market, discovered by Israel-based startup B.Protocol, enables CDPs to be closed far more leniently than the system intends due to a small oversight in the auction market, according to a blog shared early with CoinDesk.
The lending protocol is meant to close positions automatically after collateral backing outstanding dai (DAI) falls below the 150% ratio. But a simple call function provides a workaround while decreasing the chance of being smacked by a liquidation penalty around that value.
By splitting CDPs into tiny positions around $100, B.Protocol analysis shows that Keepers – who bid on liquidated assets from undercollateralized positions – won’t liquidate positions because of the difficulties in calculating the profit margin, B.Protocol CEO Yaron Velner said in a phone interview.
A position – big or small – could theoretically be held under the collateral limit for some time and be closed without a liquidation penalty, he said. Exact values were not provided because of the odd nature of the problem; how long an extension lasts depends on Keepers who don’t seem interested in purchasing small underwater positions, Velner said.
“Extrapolating these results to a Vault of $1M suggests that it will cost around $5K in gas to split it into 7,800 Vaults. Or in other words, one could protect his Vault from future liquidations by sacrificing only 0.5% of his Vault size,” the blog states.
That’s compared to the typical 13% or more haircut liquidated CDP holders usually sustain when their debt-to-loan ratios fall below the minimum threshold.
The finding puts pressure on MakerDAO’s liquidation markets, which are already being overhauled by the community. Creating and destroying the platform’s native dai stablecoin is dependent on Maker self-executing liquidations when appropriate. Yet, as B.Protocol puts it, “It is not clear such a threshold exists.” Rather, Keepers rely on vague “heuristics.”
“The core reason for the fact that small Vaults were not liquidated is likely because the liquidators did not find it profitable to initiate the liquidation process,” the blog states.
One decentralized finance (DeFi) arbitrage firm CoinDesk spoke with under the condition of anonymity concurred with B.Protocol’s assessment, adding that other DeFi lending schemes such as Aave or Compound are far simpler. “With those protocols we don’t have to price things and just need to consider whether there is enough liquidity,” the source said.
The ten-thousand-foot picture is far kinder, however. Not only has MakerDAO’s total value locked (TVL) shot north of $2 billion, but its ability to address architectural slights on the fly throughout 2020 does give some credence to DeFi’s ever growing dependency on governance tokens.
The finding is B.Protocol’s second in the last few weeks, the last being the use of a flash loan on Maker’s governance portal to close an election early. (B.Protocol offers lending market liquidation products).
The startup disclosed the vulnerability to the Maker smart contract team, which is preparing options for community review Monday, Velner said.