Compound has seen over $100 million in liquidations in the last 24 hours, according to LoanScan.
More than half of the collateral liquidated was in the form of DAI, a stablecoin that’s designed to match the price of the U.S. dollar. One user who was farming Compound’s COMP token was liquidated for over $49 million due to becoming undercollateralized.
Paradigm investor Georgios Konstantopoulos was among those to point out the incident on Twitter earlier today.
He outlined how UniSwap’s Flash Swaps function was used as part of the exploit.
Is this the biggest liquidation ever?
The careful observer will notice @UniswapProtocol‘s Flash Swaps:
1. Draw ~46.1m DAI from Uni
2. Repay into Compound
3. Receive 2.4b cDAI
4. Unwrap 2.2b cDAI to 46.2m DAI
5. Repay ~46.2m DAI to Uni (30bps fee)
6. Keep the remaining 171m cDAI https://t.co/hI6EJlzNmT
— Georgios Konstantopoulos (@gakonst) November 26, 2020
Compound is one of the most used and established DeFi protocols — its total value locked (TVL) is currently at $1.55 billion according to DeFi Pulse, placing it behind only Maker and wBTC.
Compound lets users lend out funds in exchange for earning yield and is completely decentralized. Other users can then borrow funds, but they have to put up crypto collateral that exceeds the amount they’re borrowing.
Stablecoins such as DAI are often used as collateral in DeFi protocols like Compound. If a user becomes undercollateralized, the liquidator can take the collateral and repay the debt. In this incident, someone used a Uniswap flash loan to draw the DAI needed to pay off the debt, then took the profits.
DeFi protocols often rely on oracles to pull in data such as price feeds. On this occasion, it’s thought that an oracle was obtaining prices from Coinbase Pro.
Yesterday, DAI briefly hit a premium of around 30% above its regular $1 price on the exchange.
Compound seems had an oracle attack via Coinbase Pro. Nearly $90M of liquidation. pic.twitter.com/ptZsj3X8kf
— Marlboroxu (@marlboroxu) November 26, 2020
The sudden increase in the price suggests that the bad actor may have used Coinbase Pro to influence the oracle’s price feeds. Because smart contracts are programmed automatically, they can’t tell if a price feed was changed artificially.
In this incident, users appeared to be undercollateralized because the price of DAI suddenly increased from $1 to $1.30, which then led to the liquidations.
Prominent DeFi enthusiast Arthur_0x pointed the blame at oracles. Posting on Twitter, he wrote:
“Close to $90m of loans were liquidated on @compoundfinance over the last 24hrs, with bulk of it DAI likely due to oracle issue as Coinbase DAI/USDC spiked to $1.3 momentarily, also the pair where yield farming is concentrated”
Large liquidation events have occurred on Compound in the past, though the $100 million sum lost makes this one particularly significant. It’s yet further proof that DeFi is still in its infancy.
As such, experimenting with protocols like Compound comes with a huge amount of risk.