Attack vectors in GammaSwap can come from two sources. Price manipulation or yield manipulation.
Price manipulation refers to artificially changing the price of the CFMM pool. E.g. executing large transactions in the CFMM through flash loans.
None. Price manipulation cannot force loans to become eligible for liquidation. The debt and collateral of a loan is measured in terms of liquidity invariant units of the CFMM. By definition, the liquidity invariant unit does not change with respect to the price quoted by the CFMM. The liquidity invariant can only increase (never decrease), from the accumulation of trading fees in the CFMM.
Countermeasure
None needed
Price manipulation can indeed affect transactions in the GammaPool. Lliquidity deposits, withdrawals, or loan transactions such as borrowing, rebalancing, and repaying are dependent on what the ratio of tokens in the CFMM is, which is how the price in the CFMM is defined.
Countermeasure
To counter the effects of price manipulation, transactions can therefore be sent with a price change safety parameter (e.g. minBorrowed, minCollateral, etc.), that sets a tolerable level of price change before a transaction is reverted. That is, if the price changed by a greater amount than set in the safety parameter when executing one of the aforementioned transactions, the transaction reverts.
This attack is a subset of price manipulation attacks. It refers to a situation where most of the liquidity in the CFMM comes from the GammaPool. Therefore, borrowing most of the liquidity from the GammaPool, would leave the CFMM exposed to easily manipulate its price with small transactions. The effects on liquidations of liquidity loans and transactions in the GammaPool are the same as described in the previous section and therefore its risks and countermeasures already covered. However we will now talk about the effects on a liquidity loan’s PnL
None. Since a liquidity loan in GammaSwap is a way to short liquidity and therefore be exposed to profit from price changes, a successful manipulation of the price in the underlying CFMM may indeed generate a positive PnL for a liquidity loan. However, this is assuming the costs of manipulating the price are lower than the PnL of the liquidity loan. This is not possible without passing the cost of manipulating the price to someone outside of the GammaPool. The net effect of changing the price in the GammaPool, without anybody else intervening in the middle to bear the cost and assuming no transaction fees, is the same as purchasing a token in the CFMM pool and spiking up the price with a large transaction done through a flash loan or other means, and then trying to sell the previously purchased token at the higher price along with the proceeds from the large transaction to revert everything to the previous price to be able to pay back the loan. The net effect in the absence of transaction fees is zero. With transactions fees the profit is negative. (Spreadsheet)
Countermeasure
None needed, but in case there’s an externality that allows the passing of the cost of price manipulation through liquidity loans to someone else, the GammaPool has a loan origination fee parameter for newly created loans to charge a fee to disincentivize such behavior. That is the action of borrowing most of the liquidity in the GammaPool (assuming most of the liquidity in the CFMM comes through the GammaPool) and therefore making it easy to manipulate the price through small transactions. A small origination fee charged as a percentage of the liquidity loan, should raise the cost of such attack above zero and therefore make its profit negative rather than zero.
This attack refers to borrowing most of the liquidity from the GammaPool to spike the yield high enough to create liquidations in the next blocks.
It is indeed possible to spike the yield in such a way that would drive loans close to liquidation eligible for liquidation even though they would not become eligible for liquidation under normal market conditions.
Countermeasure
To counter this type of attack the GammaPool limits the total yield charged on liquidity loans to 1,000% APY. This 1,000% APY is reduced to the single block equivalent and charged to the liquidity loans per block. At a yield of 1,000% APY, the yield impact to a liquidity loan is approximately 2.74% per day (1,000% APY / 365). Therefore if a liquidity loan has a buffer of about 3% before it is subject to liquidation, it would take over 24 hours before the loan is subject to liquidation. That is the GammaPool would have to be quoting a yield of 1,000% APY for over 24 hours straight to make these loans eligible for liquidation. Given that a yield this high would represent an impossibly high implied volatility (~800% by our calculations depending on other parameters), the buffer time required and potential profits before loans start being liquidated would incentivize other liquidity providers to provide liquidity to lower the yield, while at the same time incurring a high cost to the attacker, since this attacker would also be paying the 1,000% APY borrowing cost.
Since liquidity borrowers must also pay the CFMM yield to ensure that liquidity providers still earn the same yield as if they had deposited liquidity directly in the CFMM, this attack refers to increasing the yield of the CFMM to generate liquidations in the GammaPool.
Just as with spiking the yield in through increasing the utilization rate, it is indeed possible to spike the yield by increasing the CFMM’s yield through excessive trading in the CFMM just enough to drive some loans to liquidation.
Countermeasure
The countermeasure for this attack is the same as the one used for GammaPool yield manipulation in the previous section. The total yield of the GammaPool (yield from utilization rate + yield from CFMM) is capped at 1,000% APY. Therefore, if there is excessive trading in the CFMM that implies a very large yield, the total yield (utilization rate + CFMM yield) will never be larger than 1,000% APY. The charge a liquidity loan will get is the equivalent one block charge that would correspond to a yield of 1,000% APY. A this rate the length of time it would take to liquidate a loan would be the same as described in the previous section, over 24 hours.
A problem with capping the total yield at 1,000% APY, however, is that the CFMM’s yield might measure over 1,000% APY during a single block. If for example, 1% of the liquidity of the CFMM is traded within a single block and the trading fees are 30 basis points (as they are now in UniswapV2), then that would correspond to a yield of approximately 7,000% APY for that block. The GammaPool however, would only charge up to 1,000% APY in this case. The growth in terms of LP Tokens would be adjusted to reflect this difference. That is it would be written down since the invariant units the CFMM LP tokens represent grew larger in the CFMM than in the GammaPool’s borrowed liquidity part. The GammaPool smart contract is capable of handling this downward adjustment in terms of borrowed LP tokens. However, on the issue of liquidity providers missing out on returns from large trades, it is not a significant issue since the GammaPool’s yield are consistent and measured over time, while such a yield from the CFMM Pool is only measured at the single block level. Over multiple blocks CFMM yields are much lower (20% to 40% APY). Therefore, if the GammaPool is consistently quoting 100% APY, while the CFMM quoted a yield of 7,000% APY in a single block, the GammaPool will still outperform the CFMM since that 7,000% APY the CFMM quoted was only for a single block, not for a significant period of time. Over a significant period of time the CFMM’s yield may only amount to 20% to 40% APY, while the GammaPool’s will have been quoting 100% throughout that whole time period. In the odd case that the CFMM had consistently been quoting 1,000%+ APY, the GammaPool will have been quoting 1,000% APY.
This attack refers to a situation similar to the leveraged price manipulation. In this scenario most of the liquidity of the CFMM comes from the GammaPool and most of the liquidity in the GammaPool has been borrowed, leaving the GammaPool’s borrowed liquidity representing a leveraged borrowed liquidity situation. That means there is more synthetic liquidity (borrowed liquidity) than there is actual liquidity in the CFMM. In this scenario, transactions in the CFMM which pay trading fees would have an outsized effect on the yield charged to liquidity borrowers coming from the CFMM. For example, if 99% of liquidity in the GammaPool exists as borrowed liquidity from the CFMM, then trading fees paid on 1% of the actual liquidity will have the same impact in terms of yield on the other 99% of borrowed liquidity.
The effects on liquidity loan liquidations are similar to the other previously mentioned attacks where the yield is spiked to drives loans towards liquidation.
Countermeasures
The first countermeasure is that the yield from the CFMM cannot be larger than the maximum yield of 1,000% APY. However, assuming that this attack is happening from the effects of leverage of the CFMM’s yield, the second countermeasure is a deleveraging of the CFMM Yield by the amount of leverage existing in the platform. That is the yield of the CFMM tracked by the GammaPool is the same yield seen in the CFMM up until the point where there is more liquidity existing as borrowed liquidity than there is liquidity in the GammaPool as measured by liquidity invariant units.
Since the formula for the yield from the CFMM is the following
CFMM Yield = (cfmmInvariant_1 / cfmmInvariant_0) * (cfmmTotalSupply_0 / cfmmTotalSupply1)
The formula for the deleveraged yield is the following
Deleveraged CFMM Yield = 1 + [(cfmmInvariant_1 / cfmmInvariant_0) * (cfmmTotalSupply_0 / cfmmTotalSupply1) - 1] * (cfmmInvariant_0 / borrowedInvariant)
The above function can be simplified as
Deleveraged CFMM Yield = [cfmmInvariant_1 * cfmmTotalSupply_0 + (borrowedInvariant - cfmmInvariant_0) * cfmmTotalSupply_1] / (borrowedInvariant * cfmmTotalSupply_1)
Although it may seem at first that deleveraging the yield means that a liquidity provider in GammaSwap is earning less yield from the CFMM by providing liquidity in GammaSwap than she would if she were providing liquidity directly in the CFMM, this is actually not the case. If there were no borrowed liquidity, meaning all the borrowed liquidity were actually deposited in the CFMM, the yield from the CFMM would be lower. Deleveraging the yield takes into account this difference. In fact, given that the deleverage only happens when there exists more borrowed liquidity than liquidity in the CFMM, GammaSwap is actually boosting the yield a liquidity provider is earning, since the CFMM yield charged to liquidity borrowers does not take into account the fact that borrowed liquidity is not deposited in the CFMM when calculating the CFMM’s yield, until there is more borrowed liquidity than liquidity in the CFMM.