Hi Algroand community,
I’d like to ask for help and your opinion on a critical Algofi bug bounty report I submitted to Algofi founders on 2022 Nov 25. After exchanging a number of emails and a few meetings during the past three months, in our last meeting today they concluded that the report does not satisfy the bug bounty. I’m quite disappointed about the outcome for a couple reasons including the fact that this sort of one-sided decisions makes these processes ineffective and useless because it is certainly not the last issue or bug to be reported.
Here is the report and would like to hear your opinion or judgment:
I attempt to use a very specific scenario to make it less abstract. Let’s say the market has been in a downtrend for quite some time, the Algo’s price is extremely suppressed and MMs, VCs, exchanges have large short positions that could be in total a few hundred millions or over a billion Algo. These short positions can be against long BTC/ETH positions or just naked shorts. At a turning point, either because of a macro environment change (e.g., a FED pivot) or specially good news for Algo, short covering must happen in a limited period of time, let’s say 24H. In normal situations, MMs and other short sellers usually prefer to cover their positions close to the bottom in a relatively long period of time. The general strategy is to not let the price rise from a certain range and ensure that buyers are not attracted but sellers still come in. In cases like the above where there is a limited time available and there is the risk of a short squeeze, they try to acquire as many as Algo possible with the minimum impact on the market price. Let’s say the Algo price is 10c (already suppressed) and a particular MM has a 200M algo short position. If they try to cover this amount of Algo in the market the price rapidly increases, as there are not enough sellers, other people start covering their short positions too and there will be also liquidations to the upside. So their average price wouldn’t be less than, for example, 15c (50% higher). This situation is not unusual and has happend for Algo before (09/09/21 or 11/18/21). This is not limited to the crypto market and happens in the stock market too. The GameStop case is a good example.
In the above situation the MM creates a plan to take as many as Algo possible out of AlgoFi with the minimum possible loss, not impacting the market price and potentially causing a panic with depegging STBL/AlgoFi as the major Algo dapp and therefore bringing more sellers to the market.
Deposit 50M USDC and borrow the max STBL ($36M) by account A.
Deposit 36M STBL and borrow max ALGO ($25.92M) by account B. The Algo’s price is 10c.
Now the market price starts to increase to 11.12c and account’s B liquidation begins. However, due to the lack of enough liquidity, the STBL liquidation stops when the difference between the STBL and USDC value gets closer to the liquidation incentive. This has three advantages. First, it prevents more buy orders from the liquidation hitting the market and therefore impacting the price. Second, it creates more panic and not only pushes the STBL price even lower but brings more Algo sellers to the market. Third, the MM can buy back STBL at a lower price and therefore unlock its USD position in account A.
Here is the summary until this step:
$14M + the STBL repurchase profit ($2.5M at .93c) was taken out of account A and the account is closed now.
$25.92M Algo at 10c was taken out at 5c lower than the optimistic average price, which means $38.8M Algo at 15c.
Account B is in a bad debt state. Let’s say 30M STBL and $32.8M Algo debt at 15c.
In total the MM has taken out $52.8M + the STBL repurchase profit ($2.5M at .93c), and still owns Account B, which can become positive if/when the Algo price goes back to less than ~11c in the future (next few months/years).
The core issues for AlgoFi are the breakage of liquidation process and STBL depegging where it is still considered $1 in the lending protocol. The issue gets worse as the STBL usage/MC increases and therefore it is almost impossible to fill the gap. This approach is quite attractive for the attacker because it doesn’t incur any risk and allows flexible timing and plays.
Two arguments that the Algofi team provided:
- There will be a liquidator out there who is willing to exchange $20M Algo with $20M STBL.
A practical comparison is that a liquidator is willing to exchange $20M Algo at $.16 with $20M STBL whereas there is no guarantee to when and how they can convert them to USDC. The current swap pools liquidity is much smaller than this amount.
- Assuming #1, the increase in interest rates forces the attacker to buy back STBL.
The increase in interest is dependent on how depegged STBL gets which effectively has many other consequences.
I do believe the fundamental issues with STBL, as implemented right now, exist. In comparison Dai has %50 of its collateral in USDC to somewhat mitigate this issue.
The reddit post: https://www.reddit.com/r/AlgorandOfficial/comments/10z8y3r/ask_for_community_judgment_in_an_algofi_bug/
Update: I actually figured out a way to avoid the increasing interest rate issue so the attacker even makes much more money as the STBL interest rate is increased. I shared this extra piece of information with the Algofi team and am waiting for their response.