# API3 IDO incident - Post Mortem ## Summary * The first auction of the API3 IDO was settled at a clearing price of $0.56 (equal to the 4th lowest limit price set by the API3 team’s sell step function). Given supply and demand at the time, the intended “fair” clearing price for this batch would have been $0.98 [[1](https://gnosis-dev-dfusion.s3.amazonaws.com/data/mainnet_dev/best-ring-solver/results/2020-11-30/instance_5355804_2020-11-30T13%3A05%3A36.478727920%2B00%3A00/solution-graph.html)]. All successive batches cleared at the intended prices. * This is a serious incident that caused the API3 team to raise ~$680.000 less in proceeds from the sale (~5% of total proceeds). The address buying the tokens at the cheaper price resold them shortly after at a price ~$1, taking most of the profit (see timeline section for trade information). * The malicious solution did not violate any limit prices and only matched orders by the API3 team as well as the account submitting the solutions. Investors buying the token were not affected by the settlement. Tokens were later resold at a price ~5% above the intended initial clearing price. * The malicious solution exploited a limitation in the optimization criterion of Gnosis Protocol which was publicly disclosed by Gnosis in February 2020 [[2](https://github.com/gnosis/dex-docs/blame/de4e8dbcbfd19bbdb4be4e5ad5de775bbb1ffbdc/docs/devguide03.md#L255), [3](https://github.com/gnosis/dex-docs/blame/de4e8dbcbfd19bbdb4be4e5ad5de775bbb1ffbdc/docs/devguide03.md#L238)]. It circumvents one of the main features of Gnosis Protocol (fair distribution of trading surplus between maker and taker) allowing a user to “take” other orders exactly at their limit price. That strategy is not risk free as it makes the malicious trader vulnerable to bad counter trades. * Throughout the remainder of the sale, the API3 team raised >$14M with a total surplus of $1.45M more than their limit orders specified. We believe that on other popular trading protocols this value would have likely been captured by frontrunners/arbitrageurs. ## Details For more background information on the used optimization criteria in Gnosis Protocol, please read section _“Solution Valuation”_ of this [guide](https://docs.gnosis.io/protocol/docs/devguide03/). Before the auction started, EOA [0x9cde](https://etherscan.io/address/0x9cdea12621a2ac04b80cd60afbf7eff364afa305) created and listed 24 fake ERC 20 tokens (FT1 … FT24) on Gnosis Protocol. Valid for the first batch of the IDO (Batch ID 5355804) they placed orders offering to sell FT24 for FT23, FT23 for FT22, and so on,_ _all at an extremely low limit price. They also placed orders selling USDC for FT24 and selling FT1 for API3 thus creating a long transitive order (cf. image below) from USDC to API3. They also placed an order selling OWL for FT24 which is needed for the GP protocol fee. They crafted a solution clearing all trades (USDC -> FT24, … FT2->FT1) at 1$ and selling the final hop (FT1 -> API3) at $0.56. This created a transitive price from USDC to API3 of $0.56, which was exactly the 4th lowest limit price the API3 team specified.  The reason that this solution was considered “better” by the smart contract than the best one found by a benign solver is that on each hop between fake tokens a lot of _utility_ is created. The user was offering to sell FT_x for FT_y at a price of basically $0, yet they received a price of $1. This generates a lot of surplus for them (referred to as utility and one of the major factors in the optimization criterion): almost $1M in utility per fake token. Since the entire supply of fake tokens was owned by the creating account no other trader could fill any of these intermediate trades in isolation. Thus the whole utility could only be “unlocked” when including all 24 fake token orders. In summary, their solution contained: * The 4 lowest API3 sell orders * Selling USDC for FT24 * 24 orders selling FT_n+1 for FT_n * Selling FT 1 for API3 * Selling OWL for FT24 (needed of protocol fee) Due to Ethereum’s block gas limit, Gnosis Protocol can only settle up to 30 trades in a single batch. In the above solution there was no room to include any other orders in this solution (the number of fake tokens was likely chosen to ensure that). Thus no-one else was able to benefit from the low clearing price. Below we can see the winning solution using the large ring of fake tokens (creating a total utility of >22M): <div> <img src="https://i.imgur.com/j1E68qM.png" alt="Malicious Solution" style="width:700px;" align="top" /> </div> In comparison, this is the best solution by a benign solver (&lt;5M utility) and the “intuitive” matching when intersecting supply and demand on the 2 dimensional orderbook for this batch. <div> <img src="https://i.imgur.com/LA8gg73.png" alt="Best Benign Solution" style="width:45%;" align="top" /> <img src="https://i.imgur.com/TmQjnQi.png" alt="2 Dimensional Matching" style="width:45%;" align="top" /> </div> ## Timeline (30.11.2020) * 11:00 UTC - Gnosis Team notices listing of >20 fake tokens on the exchange (by wallet address 0x9cde...) * 11:20 UTC - Gnosis Team determines this is a potential attempt to exploit the IDO and reaches out to API3 team to warn them about it.The team decided to continue with the sale and try to take preventative measures such as resubmitting orders with slightly different prices. This would have made the attack much harder to pull off as the supposedly precomputed optimal solution would have no longer been valid. The team was unable to complete the preventative measures on time * 12:00 UTC - The fake tokens and lister’s address are “deny-listed” by benign solvers * 12:45 UTC - 0x9cde is placing orders to connect fake tokens to USDC and API3 ([tx](https://etherscan.io/tx/0xf686bd0b46c1ebfac231fa359fc600cd79b58afffe4709ae8c97151666f32393)) * 13:00 UTC - The IDO starts * 13:05 UTC - 0x9cde submits a solution for the first batch utilizing their fake token ring and clearing the first auction buying 1.65M API3 tokens at 0.56c ([tx](https://etherscan.io/tx/0xd5886ea9b9ba62755c33d68246642798b6daeecdd8bac22111c5afe18af223f4)) * 13:11 UTC - Second batch (and subsequent) is cleared at $1.06 by benign solver ([tx](https://etherscan.io/tx/0xba8f4b339a67ee038d08d924efd76a65ef3372cd96496d1e9c70d3857f237741)) * 13:40 UTC - 0x9cde is moving API3 token to other addresses reselling them on Mesa * 14:20 UTC - 1.35M of the 1.65M API3 tokens have been resold to investors at roughly 5% above the price they should have been sold in the first batch (average price $1.04 - see [this list for trade information](https://docs.google.com/spreadsheets/d/1c_lQjG527C7WnRnbNJHTW2X00w9qbOwPOvsdLtZaHjU/edit#gid=0)) ## Potential Countermeasures/Next Steps * The strategy applied here does not come without a risk: Low limit prices between fake tokens, transitively also lead to a very low limit price between USDC and API3 and thus open the door to very unfavorable trades. Effectively the solution submitter was willing to sell 924k USDC for as little as 2e-18 API3 tokens. Thus, their order could have been countered by postponing all but the highest API3 sell order by one batch. In this case, batch 5355804 could have been used by the team to sell little to no tokens for $924k. This eventually reduces to a cat and mouse game (who gets to update their order last before the batch closes) and is as such not a practically recommended strategy. * It is likely that the malicious solution was manually constructed beforehand and tailored to the specific limit prices which were known in advance. We suppose that a minor last-minute change in the sale structure (e.g. increasing some limit prices by .1%) or not releasing the exact prices before the sale starts, would have rendered their solution invalid. * We have been working on revising the optimization criterion in the development of [GPv2](https://forum.gnosis.io/t/should-gnosis-build-gnosis-protocol-v2/741/8) to improve this limitation. Given the immutability of the v1 contracts, the criterion for the already deployed version cannot be adjusted by us or anyone else for this matter.