Alpaca Finance
Published in

Alpaca Finance

A Review of Alpaca Guard During Recent Market Activity, a Potential Exploit in Other Leveraged Yield Farming Protocols, and Advice on Farming Safely in a Bear Market

Humans are emotional creatures. So it can’t be helped that many of them, in particular the less experienced, panic when they see their portfolios dropping in value, and become greedy when they see their balances reaching all-time highs.

In fact, professional traders prey on these predictable sentiments, making the bulk of their income from counter-trading emotional humans. After all, someone has to buy the top and sell the bottom, right? A trade needs to have both a buyer and seller to execute. So let me start off this article by saying one thing to the ALPACA holders: Wake up! You’re not an emotional human! You’re a cool and calm alpaca!

Good. Now that we got that out of the way, hopefully all you brothers and sisters of the herd have cleared your eyes a bit. Because alpacas don’t make decisions with emotion.

Alpacas don’t fall prey to whale manipulation.

Alpacas don’t get fooled by bot armies controlled by llamas.

Alpacas just farm, farm and eat grass happily, since they understand the herd is growing over the long run because the fundamentals are what count.

The fundamentals are why we believe in crypto’s long-term future.

The fundamentals are why when humans were panicking during market drops, we veteran alpacas bought Bitcoin at 30000, at 3000, and at 300.

(This is not investment advice. As stated, alpacas don’t give investment advice. We just eat grass.)

Yesterday was a red day; one in which we got to watch the humans panic first hand as Bitcoin broke down below 30k, and alts all charted double-digit losses. Of course, ALPACA was no exception. As a token for a leverage protocol, ALPACA is in a class of assets that has even higher price volatility due to the possibility of liquidations. However, token price is one thing, and protocol functionality is another. The protocol functioned as intended, as best as a currently-existing leveraged protocol could.

Was it perfect? No. Because perfection isn’t possible in an extreme situation. There are only trade-offs. So let’s talk specifics.

ALPACA price dropped 53% in less than 30 minutes. This is about as extreme a price drop as you can get without a security issue happening. But there was no security issue. This was human panic. This was humans selling the bottom, and patient alpacas buying the dip. For clarification, price has since increased even more from the bottom, up to 86%. Were there liquidations involved? Yes, but a lot less than you’d think.

There were only six digits USD in total position value liquidated yesterday(~900k). Contrast that to the billions lost in the market from liquidations during the same timeframe for a bit of perspective. However, the point of this article isn’t to critique the market. This is a review; a review of the things the protocol(specifically the Alpaca Guard) is doing right, and of the things it could be doing better.

What the Alpaca Guard is Doing Right

“The best managers prevent problems before they happen.”

Anyone with enough workplace experience can vouch for this, and it’s true for protocol security mechanisms such as Alpaca Guard as well, because the best way to solve problems is to prevent them before they become problems, before they can do any damage. After all, doing damage control is much less preferable than having 0 damage in the first place, and that’s what the Alpaca Guard, which is the crux of our liquidation engine, has managed to do.

Some users were liquidated yesterday. For some, they didn’t have a chance to observe the process, but for others, they were frustrated because Alpaca Guard was activated, blocking them from adding collateral to prevent liquidation. As we’ve stated in a previous article, the Alpaca Guard blocks certain functionalities when on-chain prices are off-market to prevent users from trading at bad prices. Yet, the key question is: what would have happened yesterday without the Alpaca Guard? What problem did this manager stop before it could happen?

What would’ve happened without the Alpaca guard is those liquidated would’ve gotten liquidated even faster.

Instead of the price drop happening over a period of 30 minutes, it would’ve likely happened in one 5 minute candle, as a series of chain liquidations occurred to break down price even further. There could’ve been an even worse result in this scenario, which is millions of dollars in bad debt. This isn’t unusual, as it’s an issue many lending platforms have dealt with. Most recently, Venus was exploited for 200 million USD of bad debt in such a scenario.

Alpaca Guard prevented this from occurring, and that was a huge win. Is it possible to stop everyone from being liquidated? No, but it protects as many users as can be protected.

Alpacas are smart, so a few of you may be thinking, ‘Well, it sounds good, but how can you prove it?’

Very simply. Below, I’ll show you an attack vector that could potentially be executed by anyone on any leveraged yield farming platform without a system like Alpaca Guard. This attack can be used to drain lending funds, over and over.

The most important thing to notice here is that, any leveraged farming platform that does not have a system like Alpaca Guard, CAN BE EXPLOITED AND HAVE ITS LENDING VAULTS DRAINED RIGHT NOW.

Hopefully, this article will not double as a pre-mortem, but it’s important that everyone reading understands that security in lending is not a simple task, which is why we spend so much time on it. Anyone can copy code but don’t expect their protocol to protect your funds if they only have one audit and haven’t stood the test of time. Just look at Iron Finance if you need a good reminder of the expected outcome.

Well, let’s get into the specifics. Below is the attack vector that Alpaca Guard protects against:

(Assuming a leveraged farming pair of RTOKEN-BUSD has 1k BUSD + 100k RTOKEN. The RTOKEN/BUSD spot price is 0.01. And for simplicity, assume no swap fee.

1. Attacker swaps 2k BUSD, receiving 66.67k RTOKEN (2,000*100,000/(1,000+2,000)). The pool now has 3k BUSD + 33.33k RTOKEN. The spot price becomes 0.09 which means the attack pumps the market by 9x.

2. Attacker opens a position by supplying 2k BUSD and borrowing 2k BUSD from the lending protocol. The protocol does the optimal swap, so 1,582.58 BUSD swaps to (1,582.58*33.33k/(3,000+1,582.58)) = 11,511.45 RTOKEN; Hence, after the swap, the pool has 3,000 + 1,582.58 BUSD = 4,582.58 BUSD AND 33.33k — 11,511.45 = 21,821.55 RTOKEN. Then, the protocol adds the position’s liquidity to the pool.

The pool now has 4,582.58 + 2,417.42 BUSD and 21,821.55 + 11,511.45 RTOKEN = 7k BUSD + 33.33k RTOKEN (RTOKEN remains the same as the protocol swaps and puts it back to the pool) so the spot price becomes 0.21; the attacker pumped another 2.33x. And the attacker holds sqrt(7,000*33.33k) — sqrt(1k*100k) = ~5265 LPs.

3. Attacker swaps 66.67k RTOKEN back to BUSD, (66.67k* 7,000)/(33.33k+66.67k) = 4,667 BUSD. At this step, the pool now has 2.33k BUSD + 100k RTOKEN. And the position is now worth around ~1,600 BUSD (5625*2.33k/15275) = 858 BUSD, and (5625*100k/15275) = 36,824 RTOKEN = 846.95 BUSD at spot price.


Cost: 2,000 BUSD for manipulating the DEX + 2,000 BUSD for opening the position = 4,000 BUSD

Gross Gain: 4,667 BUSD

Net Gain: 4,667–4,000 BUSD = 667 BUSD drained from the lending vault

ROI On Exploit: ~16.7%

A typical oracle integration will not stop this. If a lending protocol does not have a system like the Alpaca Guard, any attacker can repeat the above attack to drain lenders over and over. Without lenders, there can’t be any borrowers; so this is an all-around protocol-crushing attack.

It’s also important to note that this is only one of the attack vectors Alpaca Guard protects you from. So even if it’s not perfect, it keeps you safe. Having said that, there are places we can improve the protocol and we’ll also be working hard on that.

What the Alpaca Guard Could Be Doing Better

In any platform that offers loans, you always have the risk of bad debt. This is because price can move too fast, faster than a protocol can get a liquidation transaction off to close a position and return borrowed funds. This is why our platform has conservative liquidation thresholds, to create a buffer beyond which this type of volatility can be absorbed.

Some protocols may offer higher leverage but that’s at the cost of increased risk for the lenders. The leveraged positions in these protocols won’t have these safety buffers, so large price moves can and will cause bad debt.

Between our conservative liquidation thresholds and the Alpaca Guard, the risk of bad debt is minimized as much as possible. Can it be eliminated 100%? No. This isn’t possible. If an asset price crashes too quickly, and stays low, there will be bad debt in any lending platform.

Yet, our protocol has managed to limit this risk to the point that even in an extreme scenario like yesterday where price dropped 53% in under 30 minutes, in a situation where other protocols have lost hundreds of millions in similar scenarios, the amount of bad debt created yesterday was almost nothing; amounting to a few hours of interest payments.

To be specific, it was .00006890154 of the lending pools; of the 827,557,600 in lending, a total of 57020 USD, for which we’ve simply added it back into the pools from the portion of lending protocol dev fund fees:

Although it wasn’t a perfect result, as stated before, this was pretty much the best-case scenario with such massive volatility. In addition, there will be multiple features we’ll be working on that will improve our platform further.

1. Allow adding collateral(without borrowing) to leveraged farming positions during Alpaca Guard activation

We’ve already added this into our features backlog since last week. Users have requested it and we’ve listened, finding a way to enable this safely. However, even though we’re already started working on this, adding a feature like this takes time and testing to make sure it’s secure.

We prefer implementing this in the proper way rather than a way that potentially creates a security vulnerability and gets you exploited, which is why our dev team hasn’t finished it yet. We’re working fast though.

2. Stop-loss orders before liquidation

Some users have been asking us for this for a while but this is a difficult problem to implement technically. Under typical circumstances, the protocol would need to hold users’ private keys to conduct transactions for them when they’re not present. In reality, this is more akin to a trading platform than a leveraged yield farming platform.

Yet, we’ve come up with a way to offer this feature to leveraged farmers. The platform will provide an option for farmers to set a stop-loss to automatically close a position if their safety buffer reaches a certain level. This can avoid liquidation. On the protocol side, we’ll build a bot that will be whitelisted as the only entity that can close positions for users like this.

Advice on Farming Safely in a Bear Market

On a final note, I’d like to point out that the market has changed, and pragmatic investors should prepare to change with it if they want to stay in the green.

Pitchforks and torches can’t keep your farm safe unless you’re in the mob chasing Frankenstein’s monster.

So let’s face it. A lot of people complain about risk but still engage in liquidity providing in risky protocols. So I have to say, the one with the most control over the safety of your funds — is yourself.

When the market was going straight up, APYs were high enough that people could be careless about where they farmed. Rewards were soaring. Underlying assets were soaring. You could stake anywhere and profit. Even if you took a loss from a rugpull, it was only coming from your previous profits. Now, it’s time to recognize — those days might be gone.

At the moment, depending on who you ask about the crypto market, the best answer they may give is that the trend direction is unclear. Many might even say that we’re in the beginning of a bear market.

In such a market, yield farming on long-only protocols(which almost all are) will likely not be profitable at all, let alone if your funds get drained through an exploit. Capital preservation becomes paramount. However, I won’t urge you to take safer yield farming positions on Alpaca while shorting or hedging, but I do at least recommend reigning in the greed a bit.

Don’t be someone who’s unwilling to shed tears until you see a coffin; or in this case, an empty crypto wallet.

Security should be the first priority, though most people don’t learn this until they’ve suffered. Still, I believe this will become more clear as DeFi matures. People can get away with risky investments in a bull market. In a bear market, you’ll need to make wiser choices of where you invest your funds if you hope to survive the winter. Luckily, if you’re an alpaca, you should already know that, and you’ve got all that wool to keep you warm.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store