Understanding Vulnerabilities in Lending and CDP Protocols: A Comprehensive Guide for Web3 Security Professionals

Collateralized Debt Positions (CDPs) are a cornerstone of decentralized finance (DeFi), enabling users to leverage assets for borrowing and lending. While they offer significant benefits such as decentralization, scalability, and capital efficiency, CDPs also present unique security challenges. This article explores the intricacies of CDP protocols, the common vulnerabilities they face, and provides a practical checklist for auditors to enhance their security assessments.

Introduction

The rapid growth of DeFi has popularized the use of Collateralized Debt Positions (CDPs), a concept borrowed from traditional finance and first implemented in the DeFi space by MakerDAO with the introduction of the DAI stablecoin. CDPs allow users to lock collateral in smart contracts to borrow assets, typically resulting in the creation of new tokens or facilitating loans. This article delves into how CDPs function, classifies their features, and examines typical security flaws identified through audits and real-world hacks. Finally, we offer a checklist to guide auditors in securing CDP protocols.

What is a CDP?

A Collateralized Debt Position (CDP) is a financial instrument used in DeFi that allows users to lock assets in a smart contract to mint or borrow other assets. CDPs are pivotal in two primary types of DeFi protocols:

• Stablecoin Protocols: Users lock collateral to mint stablecoins, like DAI in MakerDAO.
• Lending Protocols: Users borrow assets against locked collateral, as seen in platforms like Aave and Compound.

CDPs provide several advantages:

• Decentralization: They operate on smart contracts, removing the need for centralized control.
• Scalability and Flexibility: Various assets can be used as collateral, broadening the range of financial activities.
• Capital Efficiency: Effective utilization of locked value increases overall system efficiency.

As of now, the Total Value Locked (TVL) in lending and CDP protocols stands at $23.6 billion, surpassing other DeFi categories like liquid staking, decentralized exchanges (DEXs), and bridges .

How CDPs Work

Understanding user interactions with CDP protocols is crucial for grasping their security implications. Here are the main scenarios:

Scenario 1: User Provides Collateral

In DeFi, unlike traditional finance where loans may be unsecured, users must provide collateral worth more than the loan amount to borrow funds. This ensures that the protocol can cover its losses if the collateral's value drops. The collateral-to-debt ratio is known as the Collateral Ratio (CR).

Scenario 2: User Closes Position

To close a borrowing position, the user must repay the borrowed amount plus any accrued interest. Interest rates can be fixed or variable, affecting the overall cost of the loan and the returns to lenders.

Scenario 3: Liquidation of Collateral

If the collateral's value falls below a certain threshold, the protocol triggers liquidation to prevent losses. Liquidation methods include:

• Instant Liquidation: Selling collateral immediately at market value.
• Auction Liquidation: Selling collateral through competitive bidding.
• Partial Liquidation: Selling a portion of collateral to cover the debt.

Liquidation processes ensure the protocol remains solvent and creditors are repaid, often incentivized by a liquidation bonus.

Scenario 4: User Provides Liquidity

Users can supply liquidity by depositing funds into a pool, earning interest based on the pool’s utilization ratio. This ratio reflects the proportion of borrowed to available funds, influencing the interest rate and liquidity dynamics within the protocol.

Key Features of CDP Protocols

CDP protocols can be classified by various features, which impact their security and functionality:

Collateral Types

1. ERC20 Tokens: Commonly used due to their liquidity and trading volume, examples include ETH, DAI, and USDC.
2. ERC721 Tokens: Non-fungible tokens (NFTs) from stable collections like Bored Ape Yacht Club can also serve as collateral.
3. DEX LP Tokens: Liquidity provider tokens from DEXs represent ownership in liquidity pools and can be used as collateral.
4. Compound cTokens or Aave aTokens: Tokens received from other DeFi platforms as interest-bearing collateral.

Oracle Types

1. ChainLink: Popular for its extensive coverage and reliability, providing price feeds for numerous tokens and NFTs.
2. TWAP Oracles: Calculate prices based on time-weighted averages from specific DEXs, though they may lag in reflecting real-time market conditions.
3. Virtual Price Oracles: Use ratios of token quantities to determine prices, requiring careful implementation to avoid vulnerabilities.

Market Types

1. Isolated Markets: Each token pair operates independently, containing risks to individual pairs. Examples include MakerDAO’s DAI and Silo Finance.
2. Cross-Collateral Lending Markets: Borrowers can use a single collateral type to borrow multiple tokens from a shared pool. Examples include Aave and Compound.
3. Hybrid Markets: Offer flexible borrowing and depositing but typically restrict collateral to highly liquid, whitelisted tokens.

Interest Rates

1. Fixed Interest Rate: Remains constant over the loan period, providing stability and predictability.
2. Variable Interest Rate: Fluctuates with market conditions, often linked to the pool's utilization ratio, offering flexibility but with potential cost variability.

Liquidation Types

1. Auction Liquidation: Multiple liquidators compete, offering the fairest market-driven pricing.
2. Full Liquidation: The entire collateral is sold to cover the debt.
3. Partial Liquidation: Only a part of the collateral is liquidated to settle the outstanding debt.

Collateral Usage

Some CDP protocols allow users to leverage their collateral in third-party platforms for additional rewards, though this introduces extra risk layers.

Analysis of Common Bugs and Notable Hacks

CDP protocols have been frequent targets for exploits, revealing several recurring vulnerabilities:

0VIX Protocol Hack (April 2023)

Issue: The price calculation method used the balanceOf() function, allowing attackers to manipulate prices with a flash loan.Impact: This led to incorrect price feeds and exploited borrowing conditions.

Euler Finance Hack (April 2023)

Issue: Lack of checks on the health ratio during collateral and debt token issuance allowed users to create unlimited debt.Impact: Enabled users to manipulate their collateral and debt positions, leading to protocol instability.

ParaSpace Hack (March 2023)

Issue: Manipulation of the total APE tokens locked by the protocol allowed attackers to alter their staking balances using flash loans.Impact: Resulted in inflated token balances and unauthorized borrowing.

Warp Finance Hack (December 2020)

Issue: Vulnerability in the LP token price calculation formula allowed attackers to manipulate collateral prices using flash loans.Impact: Led to incorrect collateral valuations and exploitative loans.

Inverse Finance Hack (June 2022)

Issue: Reliance on a small TWAP window allowed attackers to artificially inflate token prices for low-liquidity governance tokens.Impact: Enabled borrowing against overvalued collateral, causing significant losses.

Checklist for Auditing CDP Protocols

Auditors should consider the following when assessing CDP protocols:

1. Collateral Management: Verify accurate and secure handling of collateral types and their valuation.
2. Oracle Security: Ensure oracles provide reliable and tamper-proof price feeds.
3. Market Isolation: Confirm that isolated markets effectively contain risks within individual token pairs.
4. Interest Rate Controls: Check that interest rates reflect true market conditions and do not introduce exploitable fluctuations.
5. Liquidation Processes: Validate that liquidation methods are fair, efficient, and prevent protocol insolvency.
6. Collateral Usage Risks: Assess the risks associated with leveraging collateral in third-party platforms.

For a detailed checklist, visit: Decurity's CDP Protocol Audit Checklist

Conclusion

The security of CDP protocols is crucial for the stability and growth of the DeFi ecosystem. By understanding the typical vulnerabilities and implementing robust audit practices, we can mitigate risks and foster a safer environment for decentralized financial activities. As DeFi continues to evolve, ongoing vigilance and adaptation are key to safeguarding these innovative financial systems.

Recommendations:

• Enhance Audit Practices: Regularly update and refine audit methodologies to cover emerging vulnerabilities in CDP protocols.
• Implement Robust Oracle Systems: Use secure and decentralized oracles to provide accurate and reliable data for CDP operations.
• Promote Education and Training: Equip developers and auditors with the knowledge to identify and mitigate potential security risks effectively.

For further insights on Web3 security and engagement with top-tier smart contract auditors, join our TRUSTBYTES Discord.

References

1. DeFi TVL Data
2. Decentralized Finance Explained
3. Funding Rate and Utilization Curve

‍