Collateral level below 200% may be insecure
Closed this issue · 6 comments
Or more precisely, it lowers the security level to that of honesty assumption (ie. node owners don't steal because stealing is wrong - as opposed to a profit maximizing assumption), which is vulnerable to the sybil attack.
For simplicity, assume there are no other nodes.
- obtain full control over one 3-3 signing group (either via a sybil, or by cooperating with other randomly chosen signers).
- accept 1 BTC as a deposit, 150% of its value is locked in ETH.
- wait for the depositor to generate a fungible tBTC
- borrow that tBTC in defi
- sell borrowed tBTC
- steal BTC, lose collateral.
- tBTC is now worth zero, so theoretically, it can be bought at ~0 to close the loan.
The total gain in the ideal case is: 1BTC (stolen directly) + 1BTC (from tBTC sale) - 1.5BTC (lost eth collateral) = 0.5BTC.
In a real attack, the actual multiplier depends on how much tBTC is available to borrow and what's the discount after the attack. If it's possible to borrow 50% of the supply, the maximum attack multiplier is 1.5 - if an attacker steals 1BTC, the total absolute loss is going to be 1BTC divided among all tBTC tokens.
Nor is it going to be possible to buy all tBTC after the theft for nothing, so the multiplier becomes smaller.
However, I don't think any precise model to predict the exact secure collateral fraction, one that's smaller than 200%, exists. In the beginning, the risk is going to be highest due to small absolute numbers - even to the point of users lending all tBTC. The 110% liquidation ratio is almost certainly too low.
Additional attack revenue multiplier could be obtained by shorting defi tokens of dapps that would collapse if tBTC rapidly lost a large fraction of its value, or even buying options on tBTC (if available in the future), or buying insurance on vulnerable defi dapps.
I propose an increase of the liquidation ratio from 110% to 150%, 200% as the target collateral ratio, and 175% as the pre-liquidation ratio. In other words, add +50% due to the borrowing attack risk.
Eventually, once usage patterns mature, the fraction of borrowable tBTC is going to be known empirically, making it possible to quantify the risk more precisely.
P.S. #118 (recursive backing) would make this attack easier to execute, as it decreases the effective collateralization ratio
You don't need to go through steps 4 or 5 to execute an attack like this- it's a similar dynamic to shorting "outside" of a proof of stake network. I agree that the general class of attack exists.
The other side of this particular scenario is that signers are permissioned at launched, and will actually be more trustworthy in the short term. When the signer set is opened up fully I'd expect a little bad behavior at the beginning, before slashing kicks in.
Speaking of which- that's the other piece that's missing here. Any signer that is malicious and steals funds is going to lose their minimum staked work token, ~$12k at launch. I think the above attack with aborts rather than fraudulent signatures is the highest EV, but it should be far less profitable as you need to either wait for an ETH/BTC drop or manipulate the price feed.
Interested in your thoughts here. We've left the collateral parameters modifiable by the privileged key for this exact reason.
steal BTC, lose collateral.
tBTC is now worth zero, so theoretically, it can be bought at ~0 to close the loan.
Hmmm… Is this true? In the simple scenario described here, TBTC is worth an increasingly large amount of ETH after the theft, starting at the original collateralization ratio, as the signer collateral goes up for auction. In general, theft of backing BTC could increase the value of TBTC, because it's overcollateralized (though it's possible this would already be priced in).
EDIT: This isn't strictly true ^^ because the max minted amount of TBTC is less than the amount it would take to take* the auction. This presents an incentive to open a new deposit, get more TBTC, and close the auction. The complexity spirals a bit, and I don't have time to dig all the way in right now, so very well may have missed something 😁
This type of attack definitely depends on ETH either dropping quickly or a manipulated feed.
Another thing to think about @nootropicat - liquidation doesn't start at 110% at the current parameters, it starts hours after 125% due to the courtesy call. So ETH has to drop 1/5 relative to BTC within 6 hours for this to be possible without feed manipulation.
Anyway, I guess what I'm saying is- this is a known attack. Rationale for actually changing the collateralization is best served with historic price data or models. As this is a governable value, we could start high and ease off at launch- but without analysis we're just picking numbers out of the air.
Hmmm… Is this true? In the simple scenario described here, TBTC is worth an increasingly large amount of ETH after the theft, starting at the original collateralization ratio, as the signer collateral goes up for auction. In general, theft of backing BTC could increase the value of TBTC, because it's overcollateralized (though it's possible this would already be priced in).
Sorry - it's my mistake. I read the tBTC whitepaper some time ago and when writing this issue was absolutely certain it worked like in REN, where the collateral is burned (except for small bonus for the informer), thus, pegged tokens lose value. I should have read the whitepaper again to confirm the 'remembered' details before writing it.
I agree the 150% ratio is safe if collateral is auctioned.
Awesome, thanks for following up! Potential security issues like this are always welcome for discussion, and we'll be publishing more formal reporting guidelines and such in the coming days. Appreciate your filing the issue in the first place 🙇