Web3 house is all about creating decentralized providers and a clear circulation of knowledge. Lending and borrowing, a vital a part of monetary fashions worldwide, have been part of the web3 ecosystem for some time now.
Protocols like AAVE, Compound, and dYdX introduced lending and borrowing to our web3 house beating the normal bank-based loan-taking procedures and limitations. These protocols are the pioneers of decentralized lending & borrowing.
Because the Web3 group grew, lending and borrowing turned very helpful, thus making the TVL(complete worth locked) of those protocols cross billions shortly.
Think about somebody gave you $4 billion to take it later from you. What on the earth would you not do to maintain it secure? Equally, think about how essential the matter of safety is for these protocols. It is so simple as this. There isn’t a lending and borrowing protocol with out safety, and no monetary mannequin can maintain with out such lending and borrowing providers.
As an try to serve the web3 group and educate you about what necessary checks such protocols should undergo to make sure full belief and justice to the customers, QuillAudits, like at all times, is right here that will help you perceive a number of safety checks that must be taken care of earlier than going public. Let’s begin.
Tricks to safe lending and borrowing
On this part, we’ll undergo a number of the necessary elements and providers lending and borrowing have, construct an understanding after which share some recommendations on how they are often made safe. Ultimately, we’ll see some widespread checks that must be ensured. Let’s go.
1. Flash Loans
That is one thing actually attention-grabbing. This mechanism holds the ability of constructing you a millionaire(only for a number of seconds, although), but when used appropriately, it is extremely useful in lots of situations. However what’s it?
Think about this as a youngster. You’re out on a motorcycle to purchase one thing from a store you may have been visiting for a very long time, and the shopkeeper is aware of you. You attain there, you inform the shopkeeper, “Hear, I acquired a plan. I would like some cash. I promise to return it to you earlier than going residence. I simply should make a number of transactions”, however the shopkeeper nonetheless desires some assurance of whether or not he’ll get it again, so he listens to your plan, you inform him “Give me $10, I’ll by apples from A market the place the worth is $5 per apple, and promote it in market B the place the apple value is $7” shopkeeper now assured that the quantity shall be returned to him provides him the cash, and that’s it, you do it and get a good-looking return of $4 and return the $10 to the shopkeeper after which go residence joyful!
That is what Flash Mortgage is, simply with extra added safety. Flash mortgage means that you can borrow an enormous sum of cash, in tens of millions, with none collateral however with one situation: you’ll return all the cash earlier than including a brand new block within the chain(a matter of seconds). However even in seconds, there are enormous purposes for flash loans. Flash loans had been additionally used for a number of the most damaging hacks executed on some protocols in web3. These hacks additionally concerned the working of an oracle. Let’s study oracles from a safety perspective.
Blockchain is a complete new world in itself which is lower from the bodily world information, however with the assistance of oracles, we will bridge the hole between the blockchain information and the bodily world information. Why is that mandatory?
If you concentrate on it, this performs a vital half within the blockchain. Let’s say you create a protocol which supplies insurance coverage to farmers. You draft a contract saying that each month-end farmer will present a premium of $100, and if there’s a temperature above 100 Fahrenheit for 5 days straight, he’s eligible for a declare of $1000 for the lack of his crops. A easy contract that ensures farmers. However how would the blockchain know the temperature was over 100 Fahrenheit for 5 days? Right here is when oracles come into play.
Oracles present precise bodily world information for on-chain calculations and circumstances. Thus, our protocol depends on the correctness of the oracles. You see, computations are sometimes based mostly on sure circumstances whose information is equipped by the oracles. Nonetheless, if this information is corrupted or someway the oracle is compromised, it is going to imply that the protocol has been compromised. And so they have HUGE losses simply as a result of this reality.
For lending protocols to find out the worth of an asset, a value oracle is used to fetch costs both on-chain or off-chain. On-chain oracles have suffered loads of issues that permit value manipulation. Due to this fact these protocols depend on off-chain oracles, like Chainlink, for value reporting. That is safer as a result of costs are fetched from numerous sources (e.g. exchanges) from trusted events. It’s at all times suggested to go for an oracle which is well-known within the web3 house, and their integration within the protocol ought to be correctly taken care of.
3. NFT-based borrowing
We are able to borrow tokens by holding owned NFTs as collateral in decentralised lending and borrowing. The way it works is one occasion retains the owned NFT locked for a hard and fast period of time and, in change, will get a mortgage of the agreed quantity with the agreed-upon rate of interest. Now if the occasion fails to repay the principal + curiosity quantity, the lender receives the possession of the NFT. This technique is equal to holding your land as collateral to borrow, which has existed for therefore lengthy in society.
As mentioned above, the worth oracles wanted ought to be dependable and non-compromisable. Within the case of NFT, the well-known fashions are opeansea/looksrare, So when engaged on this, It ought to be ensured that the worth oracles are from opensea/looksrare.
Some protocols permit altering mortgage/curiosity phrases between the taken mortgage over NFT. If you wish to work on such a characteristic, it is best to verify and work on formalizing how the modifications have an effect on the mortgage/curiosity values after which incorporate it securely.
4. Widespread methods
Within the sections above, we discovered about a number of elements indirectly associated to the protocol. They’re the design and feature-based safety elements which play a serious function within the security-related points in a protocol. Now we’re going to give attention to completely different protocol checks.
CounterTokens:- At any time when a consumer deposits some tokens, he receives aTokens in return, which will be redeemed to the token or used as collateral. These aToken contracts ought to meet with all of the safety-related audits ERC20 tokens undergo.
Mint/Burn:- At any time when there’s a deposit or borrow, there’s a technique of minting and burning aTokens. Be certain to include the logic appropriately.
Slippage fee:- Slippage is the price difference between when you submit a transaction and when the transaction is confirmed on the blockchain. We need to ensure the user cannot manipulate the slippage fee.
Edge cases:- Always test for edge cases in the testing phase of the protocol development, like taking out a huge proportion of an asset from a liquidity pool and see how it behaves etc. To learn more about testing and formal verification, refer to https://blog.quillhash.com/2023/02/16/testing-and-formal-verification/
Lending and borrowing protocol has been a part of the web3 ecosystem for some time, this area was the first to be explored in the web3 space, so it has seen a lot of attacks and hacks. It has worked through that there are continuous new attacks which need to be taken care of by these protocols, and the constant upgrade of such protocols also creates room for attacks.
Big protocols like AAVE also understand the need for security and have outsourced the security responsibility to auditors. QuillAudits has created its name in the web3 security space and, with notable audits, holds expertise in securing some of the most complex and interesting protocols. If you want an audit, visit our website and get your protocol audited today.