Compound Finance is a protocol, currently deployed on the Ethereum network, for automatic, permissionless, and trust-minimized loans of Ether and various ERC20 tokens. It is one of the most widely used decentralized finance systems in the ecosystem and helps demonstrate the power of the technology.
The team asked us to review and audit a subset of the smart contracts. We reviewed the code and have published our results.
Here we present a summary of the system as it relates to the audit as well as a couple of interesting findings.
Overall, we are happy with the security posture of the team and health of the codebase. We are pleased to see a range of unit tests and explicit use of the checks-effects-interactions coding pattern. We have some reservations about the current architecture, but are glad to find the team has considered the implications of their threat model with an intention to upgrade the design where appropriate. Since the system is currently live and holding user funds, we would like to take the opportunity to discuss some of the risks, and how they are expected to be managed.
The system is divided into several markets — one per loanable asset. Each market contract manages the cash flow between suppliers and borrowers, but interestingly, they are not matched as individuals. Instead, funds are pooled and a common accounting procedure is applied to ensure all borrowers pay the same interest rate, which changes periodically. The interest from all loans gets distributed to suppliers in proportion to their deposits.
There are no time commitments or lock-in procedures, so any supplier or borrower can close their position at any time. The system does not provide any liquidity guarantees, but instead uses the variable interest rate to incentivize a healthy balance between suppliers and borrowers.
In addition, all loans are fully collateralized by deposits in the system (in other markets). This means that supplied assets have a dual purpose: they accrue interest as well as provide collateral for loans. There is another incentive system to encourage borrowers to remain collateralized or forfeit some collateral to third parties. This is managed by a central contract that coordinates the interactions between the markets.
Lastly, there is an oracle system that provides a price feed for all assets so the system can recognize under-collateralized loans as well as determine the amount of collateral to provide to liquidators.
Privileged Roles and Future Direction
The Compound team currently administers all aspects of the protocol to decide which assets can be loaned, the interest rate model for each asset, and how the system obtains price feeds. They also control various economic parameters including collateral requirements and the size of the incentive used to encourage third parties to liquidate under-collateralized loans.
These decisions can significantly affect the usefulness and safety of the system, so users must trust the Compound team to choose them wisely.
Additionally, the contracts include code hooks in most operations that ensure system-wide consistency across several markets, and can also be replaced to handle unexpected circumstances.
However, in the hands of a malicious or compromised administrator, these privileges contain the ability to trivially freeze markets, censor transactions or steal all assets from the system. Similarly, control of the price feed can be used to steal most, if not all, assets from the system. Currently, the same externally owned account is the administrator for all live markets.
To address these concerns, the Compound team intends to replace the existing administrator role and the price feeds with more decentralized governance mechanisms. However, the resulting mechanisms will still have these powers and should be designed carefully to either restrict how they can be exercised or to ensure they can withstand the large incentive to unfairly bias the system.
Consequently, for the purposes of this audit, we assume that the administrator and price feeds are available, honest and not compromised.
Here we will describe a couple of interesting findings from the audit.
Due to a truncation issue, it is possible for a borrower to take out a small, short-term loan without having to pay any interest. This can be scaled up to a large, short-term, interest-free loan by taking out several small, short-term, interest-free loans and consolidating them into a single account. By repeating this process periodically, an attacker can effectively take out a large, long-term, interest-free loan and reinvest it into Compound to earn interest. This attack requires a large amount of gas, so it is profitable only for miners (because only miners can make the required transactions without having to pay for gas).
When the value of a borrower’s collateral is at least as great as the value of the borrowed assets, we say the borrower is solvent. Otherwise, we say the borrower is insolvent. Compound’s liquidation incentive is intended to encourage behavior that moves all borrowers toward solvency. Under most conditions this works as intended. However, we found that there are circumstances under which liquidation moves the borrower closer to insolvency. These circumstances become more likely with larger liquidation incentives and larger collateral ratios. In the worst cases, a liquidation at a discount can cause a previously solvent buyer to become insolvent. These risks can be mitigated with prudent choices of the liquidation incentive and collateral ratios.
For full details on both of these issues, as well as our other findings, consult our audit report.