Back

News

Jul 15, 2024

Postmortem on WETH/BASED

Hayden Shively

Aloe II is a protocol for isolated lending markets—markets where collateral risk is restricted to just two tokens. Each market is connected to a Uniswap pair to determine which two tokens are involved. Other important values, like the tokens’ relative prices and the market’s liquidation-loan-to-value (LLTV), are also fully determined by activity in the Uniswap pair. Neither we at Aloe Labs, nor anyone else, has any special powers or control over the protocol.

Though we’re all aware of the aggressive, PvP, dark-forest, code-is-law environment that is crypto, every attack is still painful. We hate to see attackers take advantage of users, especially when it’s as shameless as the June 20 attack on Aloe. Here we outline what happened and how we’re moving forward.

What happened?

On June 16, the attacker created a new Borrower in the WETH/BASED market. On June 17, they began swapping large amounts of ETH for BASED in order to increase its price. Over the next three days, they spent over 56.74 ETH (across Uniswap v3 and Aerodrome) to raise BASED’s price from $0.79 to $4.13. Their addresses¹ accounted for 89.2% of the WETH→BASED volume over that period.

[View this chart on Dune]

Two things stand out on this chart:

  1. The protocol’s Oracle Guardian tries to detect manipulation by comparing the 30-min time-weighted-average-price (TWAP) to the 60-min TWAP. With an LLTV around 80%, the threshold for detection (shown in purple) would have been 186 ticks, i.e. if the TWAPs differed by more than 1.0001 ^ 186 = 1.019 → 1.9%, borrows could be paused. This constraint is what forced the attacker to spread their buys out over multiple days. From the looks of things, they were wary of crossing the threshold, and when they did, we’re pleased to note that community members² successfully executed the pause function. This delayed the attack, but didn’t stop it.

  2. Perhaps the most interesting thing is how much capital the attacker had at risk. In the 4 days leading up to the attack, they bought 110,000 BASED — nearly 20% of the circulating supply. Another 30% of the BASED supply was locked in based.markets’ staking contract, but that leaves 50% free to sell into the attacker’s liquidity. It’s unclear why no one did... were BASED holders simply not paying attention as the price quadrupled? In any case, this was a huge risk for the attacker. Any large sells would’ve made the attack much less profitable, and perhaps altogether impossible.

While pumping the price, the attacker was using their newly-obtained BASED as collateral to borrow more and more ETH. They did so in small chunks (0.8 ETH, 1.2 ETH, etc.), but by 17:30 UTC on June 20, they had borrowed a total of 82.5 ETH — almost the entire pool.

To complete the attack, they sold their remaining BASED (around 18,000, which had not been used as collateral) into the Uniswap liquidity to obtain 15.84 ETH. This crashed the price from $4.13 to $2.50, making their Borrower unhealthy and resulting in the situation we see today.

Since the attacker spent 56.74 ETH on the way up, recuperated 15.84 on the way down, and stole 82.5 from Aloe lenders, their net profit was 42 ETH.

What happens now?

Just after the attack, Aloe Labs’ bot executed a series of partial liquidations on the bad Borrower. At this point the borrower’s collateral was worth less than its borrows, so the liquidations were only possible if accompanied by a donation to the pool. Aloe Labs donated³ $10k to recover ~11 ETH. That recovered ETH is (and has been) available for withdrawal on a first-come-first-serve basis⁴.

Once that’s depleted, remaining users can achieve partial recovery using the new BadDebtProcessor helper contract. You can read more about it on Discord. Please note that it has not been audited, and you are not required to use it. We’re just doing everything in our power to give you choices.

99.9% of the WETH-[BASED] receipt tokens are held by Superform users. If this is you, you’d need to exchange your Superposition for the underlying receipt tokens before using the BadDebtProcessor.

Next steps

This loss was a result of 4-day-long market manipulation, not a hack. As far as we know, Aloe II is still bug-free. Just to be safe, we are running a second Sherlock audit competition (July 8-15).

We did consider one counterfactual: this deployment of Aloe II is immutable, and all hyperparameters are locked to their default values, but what if they were governable? nSigma is of particular interest, as it governs the relationship between IV and LLTV:

If a future deployment were to have governance, governance may foresee the risks associated with a pair like WETH/BASED and update nSigma accordingly. In a case like this, setting it to the maximum value of 8 standard deviations could reduce losses by ~10% (or force the attacker to pump the price even more). The manipulationThresholdDivisor could also be increased from its default value of 12 to the maximum of 16, making the Oracle Guardian more sensitive and allowing the pause to happen sooner.

Even with those changes, however, there would still be bad debt. DeFi is inherently risky, particularly when the attacker commands 20% of the supply of one of the tokens involved. We’re not aware of any autonomous lending market that could have survived this level of market manipulation.

Closing thoughts

As developers, we cannot tell you what to do with your tokens, how to analyze risk, or otherwise give investment advice. The most we can do is ask that you do, in fact, analyze the risks—the protocol state is public knowledge and always available for inspection.

That said, about a month before this attack, we grew concerned by the size of the WETH/BASED pool relative to its Uniswap pair. We brought it up on Twitter and updated the vault’s status on Superform to say “Uniswap oracle is relatively weak. Please consider all risks.” When asked about it on Discord, we explained our reasoning, and recommended that users do their own (additional) research.

Coming out of this, we’re encouraged by community participation in the pause functionality. We hope everyone will revisit their own positions and risk appetite, and continue doing their own research.

—————

[1] This address controls the Borrower that borrowed the ETH. This one interacts with it frequently and helps pump the price (source: https://dune.com/queries/3869388/6510121/). We also note that the attacker doesn’t seem very sophisticated. They use frontends (1inch, Odos, and more) rather than raw contract-level swaps.

[2] https://basescan.org/address/0xedeed75328937a17749c1a59772e2ec79eb51314, https://basescan.org/address/0xf186543d2b26b2ed45b7542383f4735848d28d29

[3] This decision was made in haste just a few minutes after the attack. Aloe Labs had no responsibility to do so and will not have such in the future.

[4] Unfortunately there’s nothing anyone can do to make this more fair. It’s a result of the contracts’ immutable code. And it’s not like the code could’ve been written differently to fix this either—we’re not aware of any design that eliminates the first-come-first-serve nature of these situations.

Hayden Shively

Share this post

Metaphorical Use of Financial Terms; Lack of Legal Recourse for Funds. When used in connection with Aloe, the terms ‘debt,’ ‘lend,’ ‘borrow,’ ‘collateral,’ ‘credit,’ ‘leverage,’ ‘bank,’ ‘yield,’ ‘invest’ and other similar terms are not meant to be interpreted literally. Rather, such terms are being used to draw rough, fuzzy-logic analogies between the heavily automated and mostly deterministic operations of a decentralized-finance smart contract system, on the one hand, and the discretionary performance of traditional-finance transactions by people, on the other hand.

*Liquidation notification events are emitted onchain (Warn) but the Telegram service is centralized. Use at your own risk; we make no uptime guarantees.

© 2023 Aloe Labs. All rights reserved.

Metaphorical Use of Financial Terms; Lack of Legal Recourse for Funds. When used in connection with Aloe, the terms ‘debt,’ ‘lend,’ ‘borrow,’ ‘collateral,’ ‘credit,’ ‘leverage,’ ‘bank,’ ‘yield,’ ‘invest’ and other similar terms are not meant to be interpreted literally. Rather, such terms are being used to draw rough, fuzzy-logic analogies between the heavily automated and mostly deterministic operations of a decentralized-finance smart contract system, on the one hand, and the discretionary performance of traditional-finance transactions by people, on the other hand.

*Liquidation notification events are emitted onchain (Warn) but the Telegram service is centralized. Use at your own risk; we make no uptime guarantees.

© 2023 Aloe Labs. All rights reserved.