Why We Need Borrowing and Redemption Fees

Authored by smart contract auditors Ashley & Bill.

Maintaining protocol stability and security is important in the rapidly evolving landscape of decentralized finance (DeFi).

Among the various mechanisms that ensure the integrity of DeFi protocols, borrowing fees, and redemption fees play critical roles. This article delves into why these fees are indispensable, particularly within the context of the Satoshi Protocol — a revolutionary stablecoin protocol backed by Bitcoin.

What is Satoshi Protocol

Satoshi Protocol is a revolutionary “universal” stablecoin protocol backed by Bitcoin. It allows users to deposit BTC and LST as collateral to mint the stablecoin $SAT on the Bitcoin mainnet and multiple L2s.

Introducing Borrowing and Redemption Fees

Satoshi Protocol is built upon the robust foundations of CDP, a well-established mechanism of issuing stablecoins backed by collateral. Satoshi Protocol implements borrowing fees and redemption fees, which are integral to maintaining the protocol’s stability and security.

Borrowing Fees

When users leverage their collateral to borrow $SAT, they incur a one-time borrowing fee. This fee is calculated based on the protocol’s baseRate, a dynamically adjusting parameter that reflects recent activity within the system.

For instance, if a user borrows 4,000 $SAT with a baseRate of 0.5%, a fee of 20 $SAT is added to their debt, resulting in a total debt of 4,020 $SAT.

Redemption Fees

Similarly, when users redeem $SAT for the underlying collateral, a redemption fee is applied. This fee is also determined by the baseRate and increases proportionally with the fraction of the total stablecoin supply being redeemed.

For example, redeeming 100 $SAT with a baseRate of 1% would result in a fee, ensuring users receive slightly less collateral after accounting for the fee.

Why These Fees Cannot Be Zero: Ensuring Protocol Security

The introduction of borrowing and redemption fees is not merely a financial mechanism but a crucial security feature. Removing or setting these fees to zero would expose the protocol to several vulnerabilities that could jeopardize its stability and integrity.

We have summarized the following key points based on the article “Delving into the Security Implications of Fee Structure in a CDP Protocol”:

Preventing Zero-Slippage Arbitrage

Without a redemption fee, the protocol could become a zero-slippage swap decentralized exchange (DEX). Large stablecoin holders could exploit the redemption mechanism to perform significant arbitrage trades without incurring substantial costs.

This would lead to excessive redemptions, draining the protocol’s liquidity and forcing borrowers to sell their collateral at unfavorable prices. Additionally, attackers could monitor the mempool for transactions and front-run oracle price updates to gain an advantage.

By redeeming a large amount of $SAT before the collateral price update and selling it afterward, they could exploit the price difference. If successful, this strategy would likely trigger a surge in redemptions. As a result, the total value locked (TVL) of the protocol would decrease, undermining the protocol’s overall security and attractiveness to users.

Mitigating Redemption Fee Manipulation

In the absence of a borrowing fee, users could artificially inflate the protocol’s total debt through large borrowings, subsequently redeeming stablecoins at reduced fees. This manipulation undermines the protocol’s intended fee structure, reducing revenue and potentially destabilizing the protocol.

For instance, attackers could use flash loans to borrow large amounts of $SAT, increasing the total debt, and then redeeming their stablecoins at a lower fee, leaving the protocol with diminished revenue and causing instability for other users.

Deterring Recovery Mode Exploits

One-time fees act as deterrents against attacks aimed at triggering Recovery Mode — a state where the protocol prioritizes restoring its overall health by liquidating positions with collateral ratios lower than 150%.

Without borrowing fees, attackers could use flash loans to borrow a large amount of collateral and then open a large position to manipulate the Total Collateral Ratio (TCR), pushing the protocol to the brink of entering Recovery Mode.

When the protocol enters Recovery Mode, this would allow them to liquidate vulnerable positions, profiting from liquidation rewards while harming other users. Borrowing fees increase the cost of such manipulations, making it economically unfeasible for attackers to execute these exploits.

Real-World Attack Simulation: The Impact of Removing Fees

To better understand the critical importance of borrowing and redemption fees, let’s explore two attack scenarios: one where the redemption fee is removed and another where the borrowing fee is zero.

Scenario 1: No Borrowing Fee

• The protocol currently has a total value locked (TVL) of 20 million.
• The price of the collateral (e.g., Bitcoin) is $60000 initially.
• User A opens a position by depositing collateral worth $100,000 and borrowing 80,000 $SAT. This gives User A a collateral ratio (CR) of 125%.
• The total collateral ratio (TCR) of the protocol is currently 155%.

Exploit Process

1. Mempool Monitoring

• An attacker monitors the mempool for an incoming oracle price update that will decrease the price of collateral from $60,000 to $59,500.

2. Flash Loan and Borrowing

• Before the oracle update occurs, an attacker uses the flash loan to borrow a large amount of collateral (about 1.79 million).
• The attacker opens a position with a collateral ratio of 110% without incurring any borrowing fee. This borrowing action drives down the total collateral ratio (TCR) from 155% to 150%, bringing the protocol to the edge of the Recovery Mode.

3. Oracle Price Update

• The oracle updates the collateral price to $59,500. This price drop reduces the value of all collateral within the protocol, causing the TCR to dip below the 150% threshold. As a result, the protocol enters Recovery Mode.
• In the Recovery Mode, positions with a collateral ratio (CR) below the new total collateral ratio (TCR) are vulnerable to liquidation, even if the CR is above the minimum collateral ratio (MCR). This means that User A’s position, which now has a CR of approximately 123% after the price drop, becomes eligible for liquidation.
• However, there is a cap on the amount of collateral that can be seized from a liquidated position. The liquidator can only receive up to 110% of the debt value in collateral.

4. Liquidating User A’s Position

• With the protocol now in Recovery Mode and User A’s position eligible for liquidation, the attacker proceeds to liquidate User A’s position.
• Due to the liquidation cap, the attacker can liquidate worth up to 110% of User A’s debt. For User A’s debt of 800,000 $SAT, the attacker can seize collateral valued at 880,000 $SAT.

5. Repaying Flash Loan and Attacker’s Profit

• After liquidating User A’s position and claiming the collateral, the attacker closes the position and repays the flash loan used to initiate the attack.
• The difference between the collateral seized and the debt used for liquidation represents the attacker’s profit.

Cost Analysis

• Flash Loan Fee Cost: Assuming a typical flash loan fee of 0.09%, borrowing $1.79 million in collateral via a flash loan would cost approximately $1611.
• Borrowing Fee Cost: In this scenario, the borrowing fee is set to zero, allowing the attacker to avoid additional costs when borrowing $SAT.
• Profit from Exploit: After liquidating User A’s position, the attacker gains $8,000 ($88,000 - $80,000). Subtracting the flash loan fee ($1611), the attacker’s net profit is $6389. If other vulnerable positions can be liquidated, the attacker could increase their profit even further. However, if the protocol had a 0.5% borrowing fee in place, the attacker’s cost would increase by $8,950. This combined cost of $10,561 would exceed the potential profit, eliminating the financial incentive for such an attack.

Outcome

• The attacker successfully lets the protocol get into the Recovery Mode and liquidates User A’s position.
• User A loses a portion of its collateral despite having maintained a healthy CR before the attack.
• The protocol suffers from reduced trust and stability, as such exploits can drain the system’s liquidity, harm users, and reduce the total value locked (TVL).

Scenario 2: No Redemption Fee

Setup

• The protocol currently has a total value locked (TVL) of 20 million.
• The price of the collateral (e.g., Bitcoin) is $60000 initially.
• User A opens a position by depositing collateral worth $1 million and borrowing 500k $SAT. This gives User A a collateral ratio (CR) of 200%.
• Assume User A has the lowest CR in the protocol.

Exploit Process

1. Mempool Monitoring and Oracle Front-Running

• An attacker monitors the mempool for a collateral price update that will increase the price of collateral from $60,000 to $63,000.
• Before the oracle update occurs, the attacker redeems a large amount of SAT, knowing that the system will redeem from the position with the lowest CR first. Currently, User A’s position has the lowest CR, making it the target for redemption.

2. Forced Reduction of User A’s Position

• The redemption process forces User A to sell their collateral at the current price of $60,000, reducing their position.
• Since there is no redemption fee, the attacker incurs no cost and can profit immediately once the oracle updates the collateral price.

3. Oracle Update and Attacker’s Profit

• After the attacker’s redemption, oracle updates the collateral price to $63,000.
• The attacker now sells the redeemed collateral on the market at the new price, realizing a profit from the difference in value.

Cost Analysis

• Redemption Fee Cost: With no redemption fee, the attacker incurs no cost for redeeming the stablecoins.
• Profit from Exploit: If the attacker redeemed $600,000 worth of collateral at $60,000 and then sold it at $63,000, they would gain a profit of $30,000.

Outcome

• User A’s position is reduced, forcing them to sell their collateral at a less favorable price of $60,000.
• If the attacker repeats this process or if other participants follow suit, the protocol’s TVL could rapidly decline as more positions are targeted for redemption.
• The system could experience a destabilizing effect, with borrowers losing confidence in their positions, leading to a rush to close positions or withdraw collateral.

Conclusion

As Satoshi Protocol continues to innovate, the importance of robust security measures becomes increasingly evident. Borrowing fees and redemption fees are not mere financial instruments but essential components that safeguard the protocol against malicious exploits.

By introducing costs to borrowing and redeeming, these fees ensure that manipulative actions become economically unattractive, thereby preserving the protocol’s stability and integrity.

In the dynamic world of DeFi, where protocols are constantly under threat from sophisticated attacks, understanding and implementing effective security measures is crucial.

Satoshi Protocol’s adoption of borrowing and redemption fees exemplifies a proactive approach to securing DeFi systems, ensuring long-term viability and trustworthiness in the decentralized financial ecosystem.

Reference

• Delving into the Security Implications of Fee Structure in a CDP protocol