Description
Liquity’s Recovery Mode activates when the system’s total collateral ratio (TCR) reaches the critical collateral ratio (CCR) of 150%. In Recovery Mode, the liquidation rules change and it becomes possible under certain conditions to liquidate Troves which have individual collateral ratios (CRs) of up to 150%.
Since the TCR is an aggregate metric that depends on the total collateral and the total debt of all borrowers in the system, the actions of any individual borrower impact the TCR, as do redemptions and redistributions.
As such there exist various ways to manipulate the TCR and trigger the Recovery Mode, usually at some significant cost and/or financial risk to the attacker. The simplest manipulation - creating a huge Trove with CR = MCR and pulling the TCR down to the CCR in anticipation of a price drop - was widely known to the Liquity team and community at launch.
More complicated attack sequences have since been analyzed. Whether or not these attacks can be profitable depend on the specific state the system is in, which is determined by factors outside the attacker’s control e.g. the collateral and debt of each Trove.
Below we detail four scenarios in which an attacker can extract profit from the Liquity system under very specific conditions:
- TCR drop via price sandwich + opening huge Trove (PDF)
- TCR drop via underwater debt + redemption + redistribution (PDF)
- TCR drop via underwater debt + opening huge Trove + redistribution (PDF)
- TCR drop via underwater debt + opening huge Trove + redemption (PDF)
Impacts
All attacks rely on very particular and unlikely “stars-aligned” scenarios, where various parts of the system are in exactly the right kind of state for the attacker to profit by triggering Recovery Mode and executing liquidations.
Each scenario report analyzes the extractable profit under some assumptions (usually worst-case or at the very least, conservative), and aims to delineate the regions of state space in which profit is possible.
They also outline specific risks the attacker faces, such as block re-orgs and liquidation of their own Trove.
In each attack, it is some subset of borrowers who lose out - i.e. those who were liquidated as a result of the attacker triggering Recovery Mode.
Mitigations
A Trove which maintains CR >= 150% can not be liquidated in Recovery Mode and as such is technically protected, and this has been clearly explained in Liquity's comms and docs since system launch.
Some attacks above involve “redistribution” liquidations - which although are very likely a net gain for the recipient Trove - can “drag down” the recipient Trove’s CR.
Borrowers should be aware that:
- Drag-downs from redistributions are technically possible when the SP is empty
- Attacks involving redistributions are very unlikely and only feasible when a rare “stars aligned” system state occurs outside of the attacker’s control
- The CR drag-down from redistribution is hard to quantify, since it depends on the specific distribution of collateral and debt across all Troves
- When a redistribution occurs, the Troves closest to
CR = 150% are most at risk from a drag-down to below 150%
As such, borrowers who want to further mitigate the already remote risk of a redistribution dragging their Trove down to CR < 150% may wish to maintain some CR buffer above 150%.
Credit for findings
Big thanks to the following parties for their security findings and discussions:
- ChainSecurity for outlining the core attack in scenario 1
- Alex the Entreprenerd (Spearbit, eBTC) for extensive discussions and analysis
- 0xRobocop for identifying the potential for redemptions to drop the TCR in scenario 2
Description
Liquity’s Recovery Mode activates when the system’s total collateral ratio (TCR) reaches the critical collateral ratio (CCR) of 150%. In Recovery Mode, the liquidation rules change and it becomes possible under certain conditions to liquidate Troves which have individual collateral ratios (CRs) of up to 150%.
Since the TCR is an aggregate metric that depends on the total collateral and the total debt of all borrowers in the system, the actions of any individual borrower impact the TCR, as do redemptions and redistributions.
As such there exist various ways to manipulate the TCR and trigger the Recovery Mode, usually at some significant cost and/or financial risk to the attacker. The simplest manipulation - creating a huge Trove with CR = MCR and pulling the TCR down to the CCR in anticipation of a price drop - was widely known to the Liquity team and community at launch.
More complicated attack sequences have since been analyzed. Whether or not these attacks can be profitable depend on the specific state the system is in, which is determined by factors outside the attacker’s control e.g. the collateral and debt of each Trove.
Below we detail four scenarios in which an attacker can extract profit from the Liquity system under very specific conditions:
Impacts
All attacks rely on very particular and unlikely “stars-aligned” scenarios, where various parts of the system are in exactly the right kind of state for the attacker to profit by triggering Recovery Mode and executing liquidations.
Each scenario report analyzes the extractable profit under some assumptions (usually worst-case or at the very least, conservative), and aims to delineate the regions of state space in which profit is possible.
They also outline specific risks the attacker faces, such as block re-orgs and liquidation of their own Trove.
In each attack, it is some subset of borrowers who lose out - i.e. those who were liquidated as a result of the attacker triggering Recovery Mode.
Mitigations
A Trove which maintains
CR >= 150%can not be liquidated in Recovery Mode and as such is technically protected, and this has been clearly explained in Liquity's comms and docs since system launch.Some attacks above involve “redistribution” liquidations - which although are very likely a net gain for the recipient Trove - can “drag down” the recipient Trove’s CR.
Borrowers should be aware that:
CR = 150%are most at risk from a drag-down to below 150%As such, borrowers who want to further mitigate the already remote risk of a redistribution dragging their Trove down to
CR < 150%may wish to maintain some CR buffer above 150%.Credit for findings
Big thanks to the following parties for their security findings and discussions: