--- title: Hard-coded price oracles in lending author: "Prevert" date: "2024/07/28" description: post tags: Lending --- # How (un)safe are hard-coded price oracles in lending? ## Non-technical summary - Hard-coded price oracles are good for borrowers, as their positions are shielded from market price fluctuations. Additionally, they protect against price manipulation attacks. - In isolated markets with pegged assets in which the price is hard-coded to 1, nothing serious happens if the price depegs but fluctuates above the max loan-to-value (LTV) + the liquidation bonus rate given to liquidators. There is no bad debt and borrowers cannot exploit the protocol. - Example: max LTV + bonus rate = 0.87 + 0.03 $\rightarrow$ the price must stay above 0.9 for a safe depeg. - If the price falls below this threshold, the market is still safe if the depeg is brief. The creation of bad debt is temporary and cleared up when the price repegs. - In the contrary case, the longer and the larger the depeg, the higher the loss borne by the protocol. - Even if the price repegs eventually, some positions may create bad debt due to accumulated interest rate unmatched by collateral in positions which couldn't be liquidated during the depeg episode. - Overall, hard-coded prices are not fit for volatile asset pairs but appear an interesting trade-off in markets in which the probability of permanent depeg is low. - For instance: the stETH/ETH market, or in RWA lending markets, like USD0/USDC, where collateral is backed 1:1 by US T-bills ring-fenced off-chain in banks. ## Introduction We see a recent trend of more lending markets hard-coding price oracles. A prominent example is Maker/Spark using a hardcoded oracle for the USDe/DAI vault on Morpho. Aave also assigns a fixed 1:1 pricing for the stETH/ETH pair when calculating wstETH collateral value. Hard-coded price oracles prove to be a superior system for borrowers, as it prevents liquidation in the event of a flash crash. This may encourage borrowers to take out larger loans and pay higher interest rates to lenders. Additionally, it protects the protocol against price manipulation attacks. However, some questions remain. To what extent is the protocol at risk of bad debt? And can borrowers exploit the depeg to increase the loss inflicted on the protocol? ## Hard-coded price oracle There are two assets, a collateral asset in quantity $C$ in an isolated lending market, and a loan asset in quantity $S$. The total amount $B$ is borrowed up to the max loan-to-value (LTV) $l$ applied to total collateral or total supply: $$ B < \min(lC,S) $$ Here, the price of the collateral relative to the loan asset is hard-coded to $1$, but the market price can be lower: $$ p \leq 1 $$ ## Price depeg Suppose the market price of the collateral asset depegs: $p<1$. Is the protocol at risk of bad debt? Can borrowers exploit the depeg? There really are two cases: the price stays above the max LTV: $p > l$ ('small depeg') and the price depegs below the max LTV: $p \leq l$ ('large depeg'). ### Depeg above max LTV In the case $p > l$, the lending market stays afloat. Its net worth is: $$ pC - B > 0 $$ which is positive since $B \leq lC$. Collectively, borrowers cannot borrow more than what the max LTV allows, which is still low enough to prevent the creation of bad debt. At the individual level, borrowers can borrow higher amounts if liquidity is available, but not to a point they generate a loss to the market. How much more they can borrow? When the market price is equal to the hard-coded price ($p=1$), users can deposit \$1 of collateral and loop-borrow up to: $$ l + l^2 + l^3 + ... = \dfrac{l}{1-l} $$ When the market price is below the hard-coded price ($p< 1$), they can loop borrow with \$1 deposited up to: $$ l/p + (l/p)^2 + (l/p)^3 + ... = \dfrac{l/p}{1-l/p} > \dfrac{l}{1-l} $$ which is more than what they could borrow without the depeg, as \$1 of borrowed asset buys more collateral. But whatever the amount they are allowed to borrow, they are still limited by the max LTV, even with a hard-coded price. ### Depeg below max LTV In the case $p \leq l$, things get more serious. The lending market may now suffer a loss: $$ pC - B \leq 0 $$ since total borrow can be higher than collateral value at market price ($B \geq pC$) and still remains below allowed amount ($B \leq lC$). Borrowers could in theory loop-borrow an infinite amount just with \$1: $$ l/p + (l/p)^2 + (l/p)^3 + ... $$ which is unbounded. In practice, the maximum they can borrow is the supply: $B = S$. The bad debt is maximized in this scenario: $$ pC - B = p \dfrac{S}{l} - S = \Big( \dfrac{p}{l} - 1 \Big) S \leq 0 $$ The maximum loss rate for every \$1 lent, is proportional to the size of the depeg: $$ \dfrac{p-l}{l} $$ As an illustration, suppose the max LTV is $80\%$ and the price depegs to $0.7$. The maximum loss rate is $-0.1/0.8=-12.5\%$. Borrowers make a profit and find profitable to borrow the whole supply. The analysis stops here if the depeg is permanent. But what if the price repegs? Does a bad debt still remain in the market? ## Price repeg ### Small depeg In case of a 'small depeg', the market goes back to its previous state. It was still solvent with the depeg and becomes healthier with the repeg. Borrowers who were constrained by the max LTV during the depeg can't be liquidated after the repeg. ### Large depeg In case of a 'large depeg', let's consider the worst-case scenario in which the entire supply is borrowed: $B = S$. In this scenario, the bad debt vanishes entirely when the price returns to the max LTV ($p=l$): $$ pC - B = \Big( \dfrac{p}{l} - 1 \Big) S = 0 $$ In addition, the market returns to full solvability if the market price goes back to $1$: $$ pC - B = \dfrac{1-l}{l} S > 0 $$ Borrowers who maxed out their borrow during the depeg are still solvent after the repeg. ## Liquidations with fixed oracle price Borrowers can still be liquidated with a fixed price oracle if the accrued interest rate of their position grows their debt above the maximum amount. But the liquidation process can be hindered by the depeg. Suppose a user deposits the collateral in quantity $c$ and borrows the maximum amount $b$ allowed by the max LTV: $$ b = lc $$ The position should be instantly liquidated with the first dollar of interest rate. A liquidator would normally step in, market-buy the loan asset in quantity $b$, pay back the loan and sell back an equivalent amount of collateral asset $\hat{c} = b/p$ plus a bonus $\alpha \hat{c}$ kept by the liquidator, with $\alpha \in (0,1)$. The whole process is profitable if the collateral seized by the liquidator covers the cost: $c \geq (1+ \alpha) \hat{c}$, or: $$ b/l \geq (1+ \alpha) b/p $$ or: $$ p \geq (1+ \alpha) l $$ It becomes apparent that interest-based liquidations are muted if the price depegs below the max LTV or remains above but close to it, as there are not enough incentives for third-party liquidators to step in. As an illustration, suppose the max LTV is 87% and a minimum bonus of 2% is necessary for liquidators to clear out insolvent positions. The price could depeg but should stay above $1.02×0.87$ $=0.89$. Alternatively, it could depeg below this threshold but not for too long. The longer the price stays below it, the higher the risk that insolvent positions gradually build up with accrued interest. ## Comparison with flexible price oracles If the price depegs but stays above the max LTV, the protocol remains solvent. Borrowers are not liquidated regardless the oracle price is hard-coded or not. A lower collateral price makes it easier for borrowers to loop-borrow and max out the supply in the two systems. Alternatively, the whole supply could be borrowed without any looping with no difference. Market-determined and fixed price feeds are equivalent here. If the price depegs below the max LTV, borrowers close to the max LTV are liquidated with a market-determined price oracle while they are not with a fixed price. The first system preserves the solvability of the market whereas the second one allows borrowers to exploit it and create bad debt. Borrowers are incentivized to borrow the whole supply, which maximizes the loss for the protocol. The higher the depeg below the max LTV, the higher the loss. However, if the market price goes back above the max LTV, the bad debt is automatically cleared up in the fixed-price system whereas liquidations can't be reversed in the variable-price system. In the case the price depegs below the max LTV or stays above but close to it, individual positions which becomes insolvent due to accumulated interest rate cannot be liquidated by third-parties. The DAO could decide to liquidate itself the positions and take the loss, unless it expects the price to rapidly repeg. Note that a similar problem arises with market-determined price oracles. ## Conclusion Hard-coded prices appear an interesting trade-off in isolated markets where the probability of a permanent depeg is low and the maximum LTV is properly set. This applies to the stETH/ETH market, where the collateral is backed by the same quantity of ETH custodied by node operators. It also applies to RWA lending markets, where every dollar of collateral is backed 1:1 by US T-bills. While the price may temporarily fluctuate below parity, even below the maximum LTV, the 1:1 external backing of the collateral ultimately keeps the protocol safe. However, a depeg below the max LTV should not be too long to prevent the gradual accumulation of insolvent positions . See also: - [Tweet version](https://x.com/pr3vert/status/1817967811794522621) - [MonetSupply](https://x.com/MonetSupply/status/1775949243527962890)'s tweet thread - Sébastien Derivaux's [post](https://cryptobanking.network/money-view-of-the-makerdao-morpho-ethena-drama/)