Automated trading behavior: debunking inaccuracy that Goldfinch is under attack
See spam accounts posting that Goldfinch is under attack? Understanding why algorithmic trading does not pose a threat
- Two Twitter accounts this week shared pictures of normal and expected trades taking place on-chain, next to false and misleading claims that Goldfinch’s Senior Pool is the victim of a flash loan attack.
- After investigation the Warbler Labs team was able to confirm that the transactions flagged by these Twitter accounts are indeed normal arbitrage trading transactions, which did not negatively affect the funds or liquidity of Goldfinch participants, and are not flash loan attacks.
- In fact, these arbitrageurs are helping balance small differences in the FIDU price on Curve and on the Goldfinch dapp, similar to how arbitrageurs balance the price of ETH across AMMs like Uniswap and Sushiswap. This is entirely expected behavior that was discussed in the original governance proposal.
- Read vetted independent community analyst DeFi Safety’s report rating Goldfinch’s smart contracts amongst the safest in the DeFi industry here, to learn why they stated that Goldfinch has “set the industry standard for front running mitigation and flashloan attack countermeasure documentation.”
The Goldfinch protocol is secure and no user funds are currently at risk. So why have some analyst-bot accounts made false statements that the protocol is under attack?
We deeply appreciate the work that on-chain community analysts, watchdogs, and safety reporters do to protect the community. Along with our bug bounty and frequent audits we keep a close eye on any community reports that are surfaced to ensure legitimate concerns are immediately publicized, investigated, and fixed.
But, due to recent false claims from Twitter accounts, we want to help analysts and the community understand that the transactions flagged as an attack are actually expected behavior that help normalize the price of FIDU on Curve and Goldfinch, how arbitrage trading works, and how these common DeFi traders have been utilizing the FIDU<>USDC Curve pool.
What is arbitrage trading?
Arbitrage trading is a common investment strategy in which the trader instantly buys and sells an asset to take advantage of a difference in price across two markets.
While the price difference is often extremely small, when multiplied across many transactions it can add up fast. As a result, arbitrage bots, also known as trading bots, were developed to help traders quickly and automatically take advantage of these opportunities.
These completely legal tools have grown in virtually all trading markets. To learn more about the different types of arbitrage trading and how it’s used, read CoinDesk’s article “Crypto Arbitrage Trading: How to Make Low-Risk Gains.”
What is the FIDU Curve pool, and how does it interact with Goldfinch?
Curve is a decentralized exchange, self-described as an “exchange liquidity pool on Ethereum designed for: extremely efficient stablecoin trading, low risk, supplemental fee income for liquidity providers, without an opportunity cost.”
FIDU is a token that represents a Liquidity Provider’s deposit to the Goldfinch Senior Pool. When a Liquidity Provider supplies to the Senior Pool, they receive an equivalent amount of FIDU, which can be redeemed for USDC in the Goldfinch dapp.
Curve provides a decentralized market for users to get liquidity to buy or sell FIDU. Following a successful community governance proposal, the Goldfinch community launched a FIDU<>USDC Curve Pool along with allocating GFI incentives for those who provide FIDU-USDC liquidity on Curve and stake their Curve LP positions on Goldfinch. This helps increase Goldfinch’s interoperability and adoption — you can learn more about it in community member Alvin Hsia’s post.
When Goldfinch Borrowers take loans from the protocol (currently all fully collateralized with off-chain assets), they receive the USDC invested directly by Backers along with Senior Pool capital automatically leveraged at 4x Backers’ investments. FIDU holders with a valid UID may use their FIDU to redeem unutilized or repaid USDC from the Senior Pool, incurring a 0.5% withdrawal fee.
The USDC-FIDU Curve pool provides the Goldfinch community with an additional liquidity option. While Curve has many benefits, including low withdrawal fees, the exchange rate for FIDU on Curve can be lower or higher than it is on the dapp based on the supply and demand of FIDU in the Curve pool. This presents an opportunity for people to buy or sell FIDU through the Curve pool and then buy or sell FIDU through the dapp for a small profit. Oftentimes, these transactions are administered by arbitrage bots. Ultimately, these transactions help the Goldfinch community by bringing the price of FIDU on the dapp and the Curve pool closer to each other.
What are these claims, and how does Goldfinch know they are false?
Over the last 30 days, over $1.7M USDC has been repaid to the Goldfinch protocol by Borrowers, providing FIDU holders the opportunity to redeem their FIDU for USDC. These repayments are in addition to the significant number of recent deposits being made to the Goldfinch Senior Pool, which also provide liquidity to the Goldfinch protocol.
Two small DeFi accounts on Twitter made false and misleading claims this week that flash loans are attacking the Goldfinch protocol. While flashloan attacks are unfortunately becoming common across Ethereum, Goldfinch was designed to ensure that flashloans can’t adversely affect the protocol.
As “proof” of these “flash loan attacks,” these Twitter accounts have been sharing transaction records of arbitrage traders performing normal and expected automated trading activity. After investigation, the Warbler Labs team was able to confirm that the transactions flagged by these Twitter accounts are indeed normal arbitrage trading transactions, which did not negatively affect the funds or liquidity of Goldfinch’s Investors, and are not flash loan attacks.
Some industry experts have reached out to advise Goldfinch’s community members that at least one of the accounts making these claims are bad actors who scam-audit protocols to draw unsuspecting DeFi participants into their Discord. However, we take all claims of attacks or other vulnerabilities on the protocol extremely seriously, and will continue to monitor this situation to ensure that there is no eventuality that users’ funds are put at risk.
Where can I go to learn more?
You can learn more about Goldfinch’s smart contract design, along with the protocol’s approach to preventing flash loans, mitigating frontrunning, and other security processes, in the Goldfinch Developer Docs.
Check out vetted independent community analyst DeFi Safety’s report rating Goldfinch’s smart contracts amongst the safest in the DeFi industry here, to learn why they stated that “Goldfinch has also set the industry standard for front running mitigation and flashloan attack countermeasure documentation.”
Participants in Goldfinch can always purchase coverage from industry-leading Nexus Mutual to protect their funds in the unlikely event of a smart contract vulnerability on Goldfinch.
Interested in helping to protect Goldfinch? Take part in the protocol’s $500,000 bug bounty via Immunefi, or apply to work with Warbler Labs, the core development team supporting the protocol’s growth.
Want to get in touch, voice your concerns, or learn more about this? Join our Discord to connect with the community.