Security of Algorithmic Stablecoins

Author: Konstantin Nekrasov
Security researcher at MixBytes
Intro
In this article, we continue to research common pitfalls of stablecoins. In the previous article, we provided a security checklist and analyzed Magic Internet Money (MIM), an overcollateralized stablecoin. For ease of use, this article provides an extended security checklist in a separate section, as well as a brief analysis of other stablecoins: FRAX, RAI, DAI, and AMPL.
Checklist
1. Death spiral thought experiment
This is the basic question of what will happen if the price of the token is constantly going down.

Can the stablecoin, even in theory, safely "wind down" to zero users? Or more precisely: what happens if the expected future activity drops to zero?
2. Ponzi thought experiment
This is the basic question of what will happen if the price of the token is constantly going up. Is there a mechanism to counter it?

If the stablecoin has no mechanism to respond to situations where demand for holding exceeds demand for minting, then the price of the stablecoin may rise above the peg, and the stablecoin may become vulnerable to extreme price movements in both directions.

To check for such a mechanism, Vitalik Buterin suggested conducting a thought experiment: what happens if you try to peg the stablecoin to an index that goes up 20% per year?

He claims there are basically two ways for a stablecoin that try to track a Ponzi index to turn out:

  1. It charges some kind of negative interest rate on holders that equilibrates to basically cancel out the USD-denominated growth rate built into the index.
  2. It turns into a Ponzi, giving stablecoin holders amazing returns for some time until one day it suddenly collapses with a bang.
Buterin claims that for a collateralized automated stablecoin to be sustainable, it has to somehow contain the possibility of implementing a negative interest rate in three ways:

  1. RAI-style, having a floating target that can drop over time if the redemption rate is negative.
  2. AMPL-style, having balances change over time.
  3. DAI-style. Be a hybrid stablecoin that uses both pure crypto assets and centralized assets like USDC as collateral.
3. Oracle weaknesses
Check what applies:

  1. Flash loan price manipulation.
  2. Low volume market price manipulation.
  3. TWAP manipulation. You can check a Rari Fuse VUSD Price Manipulation hack. Use Uniswap Oracle Attack Simulator to calculate how much money you need to move the TWAP of a crypto asset.
  4. Out-of-date prices:
    4.1. TWAP lag arbitrage. For example, by using the ten-minute weighted-average price of TITAN as opposed to the spot price, users were able to create and redeem IRON in the primary market using a price of TITAN that was different from the price of TITAN in the spot market [*].
    4.2. Rare price updates. This may be especially interesting if there is a public method for an update. For example, the oracle price in xSUSHI/MIM lending pool was so out of date that a hacker was able to use a flash loan to open a cheap CDP, update the price and then immediately liquidate the position with a profit over $100K (see the note and the transaction).
  5. MEV arbitrage (oracle price update frontrun).
  6. Collusion of oracle data providers. Is the profit from such an attack much higher than the potential loss?
  7. Buyout the oracle. Is the price of the controlling share much lower than the total stable coin value?

Additionally, you may want to search for an oracle attack checklist.
4. Governance attacks
Does stablecoin have a governance? Is the price of the controlling share much lower than the total stable coin value?

Additionally, you may want to check governance attack checklists:
5. Algorithm-specific questions
Rebasing Algorithmic Stablecoins
Rebase tokens are a type of cryptocurrency that adjusts its circulating supply in response to price fluctuation (e. g. Ampleforth).

Questions to ask:
  • Is there a possibility of overflow or underflow of the total supply?
Over-collateralized Algorithmic Stablecoins
Crypto-collateralized stablecoins are backed by other cryptocurrencies. Since the reserve cryptocurrency may also be prone to high volatility, such stablecoins are overcollateralized — the value of cryptocurrency held in reserves exceeds the value of the stablecoins issued (e. g. DAI, RAI, MIM).

Questions to ask:

  1. Is the collateral ratio sufficient for the collateral volatility?
  2. What happens if the coin becomes under-collateralized?
  3. What happens if the debt holders do not buy the stablecoin back when it falls below the peg and wait until it falls even lower? Will this lead to a death spiral?
  4. Insufficient mint event. If the collateral price starts to drop, there is a risk of mass liquidations. Borrowers will buy stablecoin from the market en masse to repay the debt. This will push the price of the stablecoin up. At the same time, no one will risk staking an additional collateral to mint new coins, in fear of getting liquidated with the falling price of the collateral itself. Thus, with a limited and shrinking volume of the stablecoin, its price will rise even more. This scenario did happen to the DAI and was fixed by introducing an ability to mint DAI via USDC. The question is — does the stable coin has a mechanism (like DAI's stable-stable mint) to counter such an event?
Seigniorage Algorithmic Stablecoins
A seigniorage stablecoin allows to burn its tokens (thus increasing the price) in exchange for seigniorage shares (an accompanying cryptocurrency) in a prospect that the shares can later be exchanged for an increased amount of money.

There are successful stablecoins that use seigniorage mechanisms (DAI, FRAX) as well as failed ones (Luna/UST and Titan/Iron).

Questions to ask:
Analysis
FRAX V1
The Frax V1 protocol is a two token system encompassing a stablecoin, FRAX, and a governance token, Frax Shares (FXS). The protocol is backed by a USDC collateral pool.

FRAX can be minted and redeemed for $1 of its value, partly in USDC, partly in FXS depending on the current collateral ratio. The collateral ratio parameter changes every hour by 0.25% depending on the current FRAX price [*]:

  • If the price is above the peg long enough (i.e. people are confident in the stablecoin), then the collateral ratio decreases.
  • If the price is below the peg long enough (i.e. people are losing confidence), then the collateral ratio increases.
FRAX relies on the seigniorage mechanism to stabilize its price:

  • If FRAX/USDC < 1$ → it is profitable to buy FRAX for less than a dollar and burn it to get 1$ value in USDC+FXS. Thus, the price will go higher.
  • If FRAX/USDC > 1$ → it is profitable to mint FRAX with 1$ value of USDC+FXS and sell it to get more value in USDC. Thus, the price will go lower.
1. Death spiral thought experiment
If the FRAX V1 collateral ratio decreases to, let's say, 75%, then the state of the protocol will become dangerously similar to the failed Titan/Iron. Thus, there is a risk of a bank run on the FRAX V1 protocol.

The FRAX V2 protocol is a more complex case and is beyond the scope of this article.
2. Ponzi thought experiment
What happens if you try to peg FRAX to an index that goes up 20% per year?

The price will fall below the peg and this will drive the collateral ratio to 100%. But the peg will continue to rise so users will have to pay more USD per 1 FRAX. Thus, older users will be able to burn their FRAX for an increased amount of collateral at the expense of newer users.

There is a possibility that the last holders will not be able to withdraw any funds at all. Consider an example:

  1. The peg and the price are at 1$ and the collateral ratio is 100%.
  2. User №1 mints 200 FRAX for 200$.
  3. The peg and the price increase to 2$.
  4. User №2 mints 100 FRAX for 200$.
  5. Total FRAX supply is 300, total pool value is 400$.
  6. User №1 burns 200 FRAX for 400$.
  7. Total FRAX supply is 100, total pool value is 0$.
  8. Now user №2 can't burn any FRAX since there are no funds left in the pool.
3. Oracle weaknesses
The Frax protocol uses Chainlink oracle + Uniswap 1 hour TWAP. The FXS price is calculated as ETH/USD price from Chainlink divided by ETH/FXS price from Uniswap. It creates an opportunity for arbitrage: if the current FXS price is much lower than the price in lagging oracle, then it is profitable to buy FXS on the market and burn it to mint and sell new FRAX on the market. This will push the FXS price up and the FRAX price down.
4. Governance attacks
The Frax governance module is forked from Compound, with Frax Shares (FXS) acting as the voting token in the system.

As can be seen on etherscan.io (9 November 2022):

  • FXS price today is $4.61.
  • FXS total supply is 99,822,984 FXS, so the controlling stake (50%) should be 49,911,492 FXS.
  • FXS has a circulating supply value $303,097,331 out of the fully diluted $550,024,642.
  • FRAX total value is $1,223,556,231.
It may seem that the cost to buy the controlling stake in the government would be $4.61 * 49,911,492 FXS = $230,091,978, which is four times lower than the entire value of the FRAX stablecoin, but in reality once the attacker starts to buy such a large amount of tokens from the market, the FXS price will skyrocket and the total amount they need to spend would be much higher.
5. Algorithm-specific questions
FRAX V1 has seigniorage mechanics. As it was mentioned above, there is a risk that FRAX V1 may repeat the Titan/Iron death spiral scenario.

It should also be noted that there is a risk that some users will not be able to retrieve their funds in case of a bank run. Consider an example:

  1. The collateral ratio is 50%.
  2. User №1 mints 200 FRAX by depositing 100$ in the pool and burning 100$ FXS.
  3. The collateral ratio is 100%.
  4. User №2 mints 100 FRAX for 100$.
  5. Now there are 300 FRAX minted and 200$ in the pool.
  6. User №1 burns 200 FRAX and retrieves 200$.
  7. Now user №2 cannot retrieve their funds since there is 0$ in the pool.
Rai Reflex Index (RAI)
RAI is an ETH over-collateralized stablecoin with a floating peg.

To mint RAI, a user creates a collateral debt position (CDP) which can become unhealthy in two cases:

  • the price of the collateral (ETH) has drastically decreased;
  • the peg has increased dramatically.
If a user's debt becomes unhealthy, then the collateral is sold with a discount. This gives some guarantee that the value of the stable coin will not go lower than the value of the locked collateral itself.

RAI relies on arbitrage to stabilize its price:

  • If RAI/USD < peg: it is profitable to buy RAI from the market and burn it to repay the debt.
  • If RAI/USD > peg: it is profitable to mint RAI and sell it for USD in the prospect of a lower price.

The peg is determined by the collateral redemption price. It is constantly changing with a positive or negative rate:

  • When RAI's market price > collateral redemption price: it means that people have more confidence and should be incentivized to mint more RAI to make the price go lower. The collateral redemption price change rate becomes negative. Liquidations are becoming less likely.
  • When RAI's market price < collateral redemption price: it means that people are losing confidence and should be incentivized to burn more RAI to make the price go up. The collateral redemption price change rate becomes positive. Liquidations are becoming more likely.

Here's a visualization from the post of Vitalik Buterin:
1. Death spiral thought experiment
2. Ponzi thought experiment
Can RAI cope with a situation where demand for holding exceeds demand for borrowing? Vitalik Buterin believes that RAI has a good mechanism to deal with such a situation: the RAI floating target can drop over time if the redemption rate is negative. This would be equal to a negative interest rate for holders.
3. Oracle weaknesses
The documentation says that RAI uses Chainlink oracle + Uniswap V2 TWAP to determine the ETH/USD price. The RAI team recognizes that using any oracle can have risks — a risk of collusion, for example. This can be considered an unlikely event.

A price manipulation attack on Uniswap V2 TWAP seems too expensive because of a large amount of liquidity in the ETH/USD pool.

It can be seen that the oracle updates the collateral price about every 1.5 hour which seems frequent enough for the protocol.
4. Governance attacks
FLX governance token has a circulating supply of $2,638,736 out of the fully diluted $13,274,844. The RAI stablecoin market cap is $9,916,797.

It will be hard to buy the controlling stake in the protocol since only about 15% of FLX is liquid. Also The FLX token seems to not have much governing functionality to the date.
5. Collateral questions
The current debt/mint stats can be found on stats.reflexer.finance.
The algorithm proved to be very adaptive even to the bearish market: currently there are no unhealthy positions to liquidate.
MakerDAO's DAI
DAI is a hybrid lending system backed by both centralized and decentralized collateral [*].

Dai is stabilized by multiple mechanisms:

  1. Global settlement expectations: when a global settlement takes place, Dai holders are entitled to the target value of Dai paid in collateral. Expectations of a possible future global settlement push the current price towards the peg.
  2. Stabilizing speculation: speculators re-peg Dai when they expect the price will eventually return to the peg, absent their actions.
  3. Price manipulation by CDP creators: people who issued Dai at the peg have an incentive to repurchase Dai when the price is lower than when they opened their CDP, thus helping to bring the price up. When Dai is trading above the peg, CDP creators may want to create more CDPs. Also, CDPs can be auto-liquidated, which will put upward pressure on the price of Dai.
  4. MKR dilution: a "debt auction" tries to repay the CDP's debt through the MKR dilution. The debt auction buys Dai paying with newly minted MKR. The Dai is burnt to cancel the CDP's outstanding Dai debt. The purpose of the debt auction is to ensure the debt is repaid even if there is insufficient collateral in the CDP to repay it.
  5. Off-Chain Stabilization: Maker may use off-chain funds from MKR sales to stabilize the price through various means, effectively maintaining buy and sell walls for Dai
1. Death spiral thought experiment
Can DAI safely wind down? The first thing to notice is that the DAI price cannot fall below 0.5$ since at least 50% of DAI is backed by USD stable assets. Another thing to notice is the amount of different price controlling mechanisms mentioned in the previous section. These mechanisms allow the DAI community to stabilize the price of the coin quite well. But even in the worst case scenario there is the last resort mechanism of the global settlement: the emergency oracles chosen by MKR holders can stop the protocol to safely unwind all the collateral.
2. Ponzi thought experiment
Thus, it is a hybrid stablecoin.

It has a mechanism of stable-stable minting which can cope with events of the DAI price going higher than the peg.
3. Oracle weaknesses
MakerDAO uses a custom oracle network that should update prices on the blockchain every time they change by 0.5% or more. The resulting price for a collateral is calculated as a median price from different feeds — this helps to filter outliers.

The oracle network has performed well so far and there have been no hacks related.
4. Governance attacks
MKR holders are responsible for governing the Maker Protocol which includes adjusting policy for the Dai stablecoin, choosing new collateral types, and improving governance itself.


Thus, the controlling MKR stake may cost minimum $376,431,942. This is 7 times lower than the DAI value in circulation but that is a minimum an attacker needs to pay for a hostile takeover at the current price. In reality, once the attacker starts to buy such a large amount of MKR from the free market, its price will skyrocket. If the MKR price increases at least ten times, which is quite probable, then there would be no incentive for a hostile takeover.
5. Collateral questions
The DAI collateralization ratio is 137% — which is OK.
FTX collapse should not influence DAI since FTT is not used as collateral in MakerDAO.

Two years ago there was a case of unpeg due to extreme volatility: DAI collateral was quickly losing its value and users could not return their debt due to increased demand for the DAI stablecoin. No one wanted to mint new coins due to fear of liquidation. The DAI price skyrocketed. The problem was solved by introducing an ability to mint DAI with USDC stablecoin.
Ampleforth
The Ampleforth Protocol targets the CPI adjusted 2019 US dollar and automatically expands or contracts the quantity of tokens in a user's wallet based on price [*].

Rebases are applied every day at 2AM UTC and only if the target deviates by more than deviation_threshold (adjustable, currently 5%).

The Ampleforth protocol's supply changes are proportional and non-dilutive. If a user owns Y% of the network before a rebase, the user will always own Y% of the network unless the user buys or sells more AMPL.

Rebases are smoothed by a sigmoid curve that caps supply changes at its asymptotes. It has shaping parameters that determine: lower asymptote, upper asymptote, and the steepness of the curve (growth rate). These parameters are currently set to -0.1, 0.1, and 3 respectively.
1. Death spiral thought experiment
The chart shows that the AMPL price may swing from 0.22$ to almost $4, but, in time, the algorithm stabilizes the amount of AMPL in circulation and returns its value to the peg.

Technically, even if the price drops to 0.01$, the algorithm will still be able to return the AMPL price to the peg. The only problem is that people may lose money.

Consider an example:

  1. You buy 100 AMPL for 100$.
  2. The AMPL price drops to 0.22$.
  3. To increase the demand, the amount of tokens in your wallet contracts, so you will have, let's say, 10 AMPL.
  4. Now the AMPL returns to the 1$ price.
  5. But you have only 10 AMPL in the wallet.
Such a contraction may cause panic.

An interesting note: FTX Exchange holds $885,212 of AMPL.
2. Ponzi thought experiment
What if the price of the stablecoin goes up? The rebasing algorithm should cope with that problem and proportionally increase the quantity of tokens in a user's wallet, gradually bringing the price down.
3. Oracle weaknesses
Ampleforth uses two decentralized Chainlink oracle networks: a Market Oracle for the current Volume Weighted Average Price (VWAP) of AMPL/USD and a Consumer Price Index (CPI) Oracle to establish the target price of one inflation-adjusted US dollar.

Chainlink data is difficult to manipulate, so we can say that AMPL has no problems with the oracle itself. Judging by the price schedule, the time between price updates is chosen adequately.
4. Governance attacks
Members of the community may vote to execute a script with their FORTH tokens.


The controlling FORTH stake hypothetically may be bought for about $25,729,170. That is a minimum cost — in reality it may increase by multiple times. The minimum cost is not even twice as much as the total AMPL value so there is no real incentive for a hostile takeover.
5. Rebase questions
Is there a possibility of supply overflow or underflow that may lead to DOS?
There is a requirement that totalSupply cannot be more than MAX_SUPPLY [*]:
assert(supplyAfterRebase <= MAX_SUPPLY);
There is no threshold for minimum supply.

In case of an overflow or an underflow the rebase() method will revert and the supply won't change. This is an expected behavior and there is no permanent DOS.
Conclusion
In this article, we provided a security checklist and used it to analyze several interesting algorithmic stablecoins. You can use the same checklist to analyze pitfalls of other stablecoins, even the most unusual ones (take DYAD, for example). So stay safe and don't fall into a common pitfall!
Links
General:


Stablecoin hacks:


TWAP attacks:


DAO attacks:

Other posts