Key Takeaways
Risks and Mitigations
We define the set of market risks faced by users of the Aave protocol and analyze the mechanisms that the Aave protocol uses to ensure that it stays solvent.
Simulation Methodology
We explain our methodology for agent-based simulations of the Aave smart contract and define the key scenarios for stress testing.
Results and Analysis
We detail the results of these simulations, providing actuarial assurances for the conditions under which the Aave protocol is insolvent.
Recently, we published a formal analysis of the financial risk to participants in the Aave V1 and V2 protocols. The report expounds on methodology minutiae and specific results of our research. This post is an abbreviated version designed to communicate the key findings.
Background
The Aave protocol is one of the largest liquidity protocols on Ethereum. It allows users to trustlessly supply and borrow cryptoassets on Ethereum; active borrowers who are willing to pay interest have access to pools of cryptoassets of suppliers who seek yield on their savings. At the time of writing, Aave has over $10 billion in TVL. With growth of this scale, mitigating financial and market risks is increasingly important as billions in customer funds are on the line.
Within decentralized finance (DeFi), borrowing protocols have four main risk factors:
- Security risk
- Governance risk
- Oracle risk
- Market risk
The report and this post will focus on market risk, but for completeness of presentation, we will discuss how the Aave protocol addresses these other risks.
Security risk concerns the correct execution of smart contract code that stores supplied assets, manages borrowed assets, and liquidates uncollectable liens. Such risks are assessed by cybersecurity code auditors who focus on ensuring that the implementation of the contract exactly matches its high-level specifications. Aave V1 was assessed by a number of auditors including OpenZeppelin and Trail of Bits, while V2 also included additional coverage via formal verification from Certora as well as audits from MixBytes, Peckshield CertiK, Consensys Diligence, and SigmaPrime.
Governance risk, on the other hand, deals with management related issues such as administrator mismanagement, poor voter participation, and concentration of voting power. The Aave protocol proposes changes through the Aave Improvement Proposals (AIP), which is voted on by the community.
Oracle and market risk are concerned with the precise pricing and liquidation mechanisms within the lending contract. Overcollateralized protocols like Aave rely on price oracles that convey asset prices external to the blockchain to the protocol. These are used for marking the value of outstanding liens and estimating which ones are in default. Manipulation of oracle price feeds can force the protocol to liquidate liens that are not in default, causing a loss of customer funds. As Aave uses Chainlink oracles, which have a variety of partial security analyses, all analysis within this report assumes negligible oracle risk.
It is important to note that oracle attacks have occurred numerous times in DeFi, including at Compound, but as of the writing of this article (Apr. 2021), Chainlink has avoided catastrophic issues.
Defining Market Risks
There are four primary sources of market risk within the protocol:
- Extreme downward price movement: Shocks to market prices of collateral that cause the contract to become insolvent due to under-collateralization
- Asset illiquidity and liquidator inaction: Loss of liquidity in an external market place, leading to a liquidator being disincentivized to liquidate defaulted collateral
- Cascading liquidations: liquidations lower external market prices which in turn lead to further liquidations (i.e. a deflationary spiral)
- Slashing of the safety module: Insolvency of the safety module due to extreme events where multiple collateral types concurrently fail to be liquidated
How do we test if the Aave protocol can be resilient to each of these market risks? Simulated stress tests!
Simulated Stress Tests
The main tool that we use to perform simulation-based stress tests on Aave’s Ethereum smart contracts is agent-based simulation (ABS) ABS has been used in a variety of stress test contexts, including to estimating censorship in cryptocurrency protocols, detecting fraudulent trading activity in CFTC exchanges,and stress testing frameworks from the European Central Bank and the Federal Reserve. These simulations, while powerful, can be difficult to make both useful and accurate as model complexity can make it hard to match experimental results. Careful design, tuning, and infrastructure architecture can help avoid these pitfalls and has made ABS invaluable in industries such as algorithmic trading and self-driving car deployment.
Please take a look at our report to learn more about our simulation environment!
Many elements of our simulation are designed to study the aforementioned market risks.
Extreme downward price movement
We use a multi-asset correlated Geometric Brownian motion (GBM) to simulate price trajectories.The two most important aspects of this model are asset volatility and asset correlation. In order to properly simulate market capitulation and extreme price drops, we train models on historical data with various volatility regimes. Figure 1 is the price of ETH on Black Thursday with the cumulative liquidation value on the Aave V1 protocol. Both the price path and the delay in liquidations are key inputs to our simulation.
With the abundance of cryptoassets available on the Aave protocol, it is important to quantify and understand asset correlation, which can give insight into possible contagion and correlated liquidation and insolvency risk.
Asset illiquidity and liquidator inaction
Asset illiquidity can lead to liquidator inaction because the liquidator will need to give up large amounts of profit to trade out of collateral and borrow asset positions.
In addition, extreme network congestion will also lead to liquidator inaction. In order to simulate gas congestion and transaction delay, we construct modified and truncated normal distributions from 3 month trailing gas price data. At each time step in the simulation, we sample from the probability distribution to define the liquidator behavior. As we increase ETH volatility in our simulations, we also increase the mean, standard deviation, and skew of the gas price distribution. Below are the daily gas percentile curves for February 2021 and generated gas curves.
Cascading liquidations
The deflationary spiral that can occur as a result of large liquidations is reproduced in our simulation by training market impact models. These models are trained on order-book (for centralized exchanges) and AMM (for decentralized exchanges) data. After a trade occurs (i.e. selling of liquidated collateral), we capture the impact that it has in the short-term and long-term.
Two factors that can affect the market impact are asset volatility and the size of the trades. We define the scaled liquidity of an asset as the total collateral on the protocol divided by the average daily traded volume of the asset. This is a snapshot of the market characteristics of each of the assets on Aave V2 in March 2021.
Slashing of the safety module
The Aave protocol has a safety module denominated in the native AAVE token which serves as a backstop for protocol insolvency. Yield seeking investors can purchase AAVE, stake (lock) it within an insurance pool, and earn a pro-rata portion of AAVE rewards (currently 550 AAVE per day). If an Aave market reaches a state where its liabilities (outstanding liens) are greater than its assets (collateral), then the AAVE safety module covers the shortfall of all markets voted by the community.
Our assumptions for safety module slashing are very conservative: we only consider the staked Aave safety module and do not use the liquidity provided by the 80/20 Balancer pool. In addition, we make the assumption that most centralized liquidity will disappear in a slashing event. In simulation, whenever there is an insolvency on the protocol, we sell Aave into the market and model the impact with only DEX liquidity.
Metrics
We will first define metrics that will help us answer these questions in a quantitative manner. Insolvent account: Any account where the total borrow value in USD is larger than the total collateral value in USD.
- Net insolvent value: This is the difference between the total borrow value in USD and the total collateral value in USD of an insolvent account.
- Net insolvent value percentage: When looking at a single account, this is the net insolvent value of the account at the end of a simulation run divided by the total collateral value of the account at the beginning of the run. When looking at the entire protocol, this is the sum of the net insolvent value of all accounts divided by the total collateral value of all accounts.
- Asset net insolvent value percentage: This is the sum of net insolvent value divided by the total collateral value pro-rata supply percentage for all accounts that supply a given asset as collateral. Because of the many-to-many nature of collateral and borrowed assets on the Aave protocol, attributing insolvency statistics to specific assets can be convoluted.
- Slashing run percentage: This is the percentage of simulation runs that end with greater than 1% of the total value (in Aave) of the safety module slashed to cover insolvencies and with greater than 10% drop in total value (in USD) of the safety module.
Results
Our baseline results for almost 6000 simulation runs showed that the protocol is resilient based on our metrics (<1% net insolvent value percentage of the entire protocol and <5% net insolvent value percentage of every asset). Figure 8 displays the net insolvent value percentage of each asset in our initial simulation runs.
The initial simulation runs also serve to identify which assets’ parameters could have the largest impact on the health of the protocol. We chose YFI to study the impacts of various borrow parameters and liquidation parameters.
Figure 9 shows that the insolvent value percentage is monotonic in both loan-to-value and volatility scalar, as one intuitively expects.
Figure 10 shows that the choice of liquidation threshold is only important at high enough volatilities: at low volatilities, changes to the threshold do little to change net insolvent value.
Figure 11 is a graph of YFI asset net insolvent value percentage as a function of correlated asset volatility and liquidation bonus. Note that this measures the likelihood of correlated cascades (e.g. the y-axis is the volatility of an asset highly correlated to YFI with different liquidity levels). This figure illustrates that correlated assets admit a `safe region’ in terms of liquidation bonus where net insolvent value stays relatively low. Unlike the previous figure, we see that there is a much stronger dependence on liquidation threshold even at lower volatility scalars.
Figure 12 is the total collateralization of the Aave protocol as a function of correlated asset volatility and liquidation bonus. Note that the total collateralization ratio of the system is inversely related to the net insolvency value at high volatility levels when the liquidation bonus is above 115%.
Finally, this Figure 13 is the percentage of simulation runs that ended with significant slashing (>1% Safety Module sold and >10% decrease in USD value). Note that we only observe significant slashing at high liquidation bonus and volatilities and that there is a `safe region’ of moderately sized liquidation bonuses.
In section 6.3.1 of the formal report, we give a more mathematical explanation for why the liquidation bonus has this relationship with protocol safety.
Conclusions
In this report we conducted a market-risk assessment of the Aave protocol via agent-based simulations run against the Aave contracts.
We stress-tested the liquidation mechanism under a wide range of market volatility and sizing scenarios to ensure that the protocol can prevent borrowers from becoming under-collateralized in most of these cases.
We also used historical market data from centralized and decentralized cryptocurrency exchanges to ensure that assumptions about volatility and slippage are representative of real-world conditions.
We found that the protocol can withstand aggressive borrowing parameters even in extreme asset volatility and network congestion situations. However, variations in the liquidation bonuses of the protocol lead to more drastic and unexpected results, and liquidation bonus should not be the primary tool used to adjust protocol-wide market risk.
We also studied the relationship between borrower behavior as a result of borrowing parameter adjustments to understand the returns of both AAVE holders and lenders on the Aave protocol as a result of parameter changes. As market conditions change, the optimal parameters and suggestions will need to dynamically shift as well.
Our results suggest that monitoring and adjustment of protocol parameters is crucial for reducing risk to lenders and slashing in the safety module.
(Special thanks to Hsien-Tang Kao, Nick Cannon and Tarun Chitra for their help on this post)
Research