Web3 space is all about creating decentralized services and a transparent flow of information. Lending and borrowing, a crucial part of financial models worldwide, have been a part of the web3 ecosystem for a while now.
Protocols like AAVE, Compound, and dYdX brought lending and borrowing to our web3 space beating the traditional bank-based loan-taking procedures and limitations. These protocols are the pioneers of decentralized lending & borrowing.
As the Web3 community grew, lending and borrowing became very useful, thus making the TVL(total value locked) of these protocols cross billions quickly.
Imagine someone gave you $4 billion to take it later from you. What in the world would you not do to keep it safe? Similarly, imagine how crucial the matter of security is for these protocols. It is as simple as this. There is no lending and borrowing protocol without security, and no financial model can sustain without such lending and borrowing services.
As an attempt to serve the web3 community and educate you about what important checks such protocols must go through to ensure complete trust and justice to the users, QuillAudits, like always, is here to help you understand several security checks that need to be taken care of before going public. Let’s start.
Tips to secure lending and borrowing
In this section, we will go through some of the important aspects and services lending and borrowing have, build an understanding and then share some tips on how they can be made secure. In the end, we will see some common checks that need to be ensured. Let’s go.
1. Flash Loans
This is something really interesting. This mechanism holds the power of making you a millionaire(just for a few seconds, though), but if used correctly, it is very helpful in many scenarios. But what is it?
Imagine this as a teenager. You are out on a bike to buy something from a shop you have been visiting for a long time, and the shopkeeper knows you. You reach there, you tell the shopkeeper, “Listen, I got a plan. I need some money. I promise to return it to you before going home. I just have to make a few transactions”, but the shopkeeper still wants some assurance of whether he will get it back, so he listens to your plan, you tell him “Give me $10, I will by apples from A market where the price is $5 per apple, and sell it in market B where the apple price is $7” shopkeeper now assured that the amount will be returned to him gives him the money, and that’s it, you do it and get a handsome return of $4 and return the $10 to the shopkeeper and then go home happy!
This is what Flash Loan is, just with more added security. Flash loan allows you to borrow a huge sum of money, in millions, without any collateral but with one condition: you would return all the money before adding a new block in the chain(a matter of seconds). But even in seconds, there are huge applications for flash loans. Flash loans were also used for some of the most damaging hacks executed on some protocols in web3. These hacks also involved the working of an oracle. Let’s learn about oracles from a security point of view.
Blockchain is a whole new world in itself which is cut from the physical world data, but with the help of oracles, we can bridge the gap between the blockchain data and the physical world data. Why is that necessary?
If you think about it, this plays a crucial part in the blockchain. Let’s say you create a protocol which gives insurance to farmers. You draft a contract saying that every month-end farmer will provide a premium of $100, and if there is a temperature above 100 Fahrenheit for five days straight, he is eligible for a claim of $1000 for the loss of his crops. A simple contract that ensures farmers. But how would the blockchain know the temperature was over 100 Fahrenheit for five days? Here is when oracles come into play.
Oracles provide actual physical world data for on-chain calculations and conditions. Thus, our protocol is dependent on the correctness of the oracles. You see, computations are often based on certain conditions whose data is supplied by the oracles. Still, if this data is corrupted or somehow the oracle is compromised, it will mean that the protocol has been compromised. And they have HUGE losses just due to this fact.
For lending protocols to determine the price of an asset, a price oracle is used to fetch prices either on-chain or off-chain. On-chain oracles have suffered a lot of problems that allow price manipulation. Therefore these protocols rely on off-chain oracles, like Chainlink, for price reporting. This is more secure because prices are fetched from various sources (e.g. exchanges) from trusted parties. It is always advised to go for an oracle which is well known in the web3 space, and their integration in the protocol should be properly taken care of.
3. NFT-based borrowing
We can borrow tokens by keeping owned NFTs as collateral in decentralised lending and borrowing. How it works is one party keeps the owned NFT locked for a fixed amount of time and, in exchange, gets a loan of the agreed amount with the agreed-upon interest rate. Now if the party fails to repay the principal + interest amount, the lender receives the ownership of the NFT. This system is equivalent to keeping your land as collateral to borrow, which has existed for so long in society.
As discussed above, the price oracles needed should be reliable and non-compromisable. In the case of NFT, the well-known models are opeansea/looksrare, So when working on this, It should be ensured that the price oracles are from opensea/looksrare.
Some protocols allow changing loan/interest terms between the taken loan over NFT. If you want to work on such a feature, you should check and work on formalizing how the changes affect the loan/interest values and then incorporate it securely.
4. Common strategies
In the sections above, we learned about a few aspects not directly related to the protocol. They are the design and feature-based security aspects which play a major role in the security-related issues in a protocol. Now we are going to focus on different protocol checks.
- CounterTokens:- Whenever a user deposits some tokens, he receives aTokens in return, which can be redeemed to the token or used as collateral. These aToken contracts should meet with all the safety-related audits ERC20 tokens go through.
- Mint/Burn:- Whenever there is a deposit or borrow, there is a process of minting and burning aTokens. Make sure to incorporate the logic correctly.
- Slippage fee:- Slippage is the price difference between when you submit a transaction and when the transaction is confirmed on the blockchain. We need to ensure the user cannot manipulate the slippage fee.
- Edge cases:- Always test for edge cases in the testing phase of the protocol development, like taking out a huge proportion of an asset from a liquidity pool and see how it behaves etc. To learn more about testing and formal verification, refer to https://blog.quillhash.com/2023/02/16/testing-and-formal-verification/
Lending and borrowing protocol has been a part of the web3 ecosystem for some time, this area was the first to be explored in the web3 space, so it has seen a lot of attacks and hacks. It has worked through that there are continuous new attacks which need to be taken care of by these protocols, and the constant upgrade of such protocols also creates room for attacks.
Big protocols like AAVE also understand the need for security and have outsourced the security responsibility to auditors. QuillAudits has created its name in the web3 security space and, with notable audits, holds expertise in securing some of the most complex and interesting protocols. If you want an audit, visit our website and get your protocol audited today.