The Long and Short of Aave

By Riyad Carey and Anastasia Melachrinos

Subscribe to Kaiko’s research newsletter here.

Lending and borrowing in DeFi follows the same basic principles as it does in traditional finance: I supply some asset as collateral and I am able to borrow a certain amount of some other asset. However, this being DeFi, there are some important differences from TradFi. The most important is that the protocol has no way of knowing how trustworthy I am, and thus will require any loan to be overcollateralized. The next is that the process is entirely automated by smart contracts, which can create compounding complexity and avenues for exploits. Because all of the activity happens on chain, Kaiko’s lending and borrowing data allows us to conduct in-depth investigations and see broader trends on these protocols, of which Aave is the largest.

The Basics

Users are incentivized to deposit their funds into lending and borrowing protocols with what is known as a supply or earn APY. This will fluctuate based on what percentage of the deposited funds are being borrowed, known as a utilization rate. When the utilization rate is high, both the supply and the borrow APYs will increase, encouraging users to deposit more of the asset while discouraging more borrowing in an attempt to find equilibrium.

On Aave, each asset that can be used as collateral has what is known as a Loan-to-Value ratio. For more volatile assets, the LTV is lower, 72% in the case of stETH and wBTC, meaning that I could borrow 0.72 ETH for 1 ETH worth of deposits. Stablecoins are (hopefully, usually) less volatile and thus have higher LTVs; USDC’s LTV is 87%.

Assets also have liquidation thresholds that, when breached, allow liquidators to repay the loan on behalf of the borrower and buy their collateral at a discount. For example, if I deposited ETH and borrowed wBTC against it, I could be liquidated if the price of ETH decreases or the price of wBTC increases, or both.

Strategies

There are two basic long and short strategies on Aave and other similar protocols. For example, in the long case, I could deposit ETH, borrow USDC, and then use that USDC to buy more ETH (I would get liquidated if the price of ETH dropped). For a short, I could deposit USDC, borrow ETH, and if the price of ETH drops I will profit by having less debt (I get liquidated if ETH goes up). These strategies are often seen in the data, as supply and borrow APYs increase with greater utilization of an asset.

Below are the average supply APYs for the five largest lending/borrowing assets on Aave V2.

USDT has generally had the largest supply APY, but it spiked in Q4 as the Avraham Eisenberg, the same individual involved in the Mango Markets exploit, attempted to short it by borrowing over $150mn worth of USDT against USDC collateral. WETH’s high supply APY in Q3 could be due to increased shorting around the Merge.

CRV Exploit

Eisenberg recently attempted an exploit of Aave that can be better explored using Kaiko’s new lending and borrowing data. Below is a log of all of his wallet’s transactions on Aave leading up to and following the exploit attempt.

The exploit began with a $39mn deposit of USDC and 8 borrows of CRV over the next week, worth a total of $10mn. Ultimately he deposited $63mn of USDC and borrowed $43mn worth of CRV. This functioned as a large short of CRV, and on-chain observers were quick to identify the wallet and destination of the borrowed CRV: the centralized exchange OKX, ostensibly to dump the token and drop its price. There was some additional speculation that Eisenberg was targeting Michael Egorov, CEO of Curve Finance, who was supplying over $45mn of CRV on Aave V2 with a liquidation price of $0.26.

Unfortunately for Eisenberg, CRV’s price held well above this liquidation price, and actually spiked, putting his position above the liquidation threshold. The spike in price coincided with Curve’s reveal of the whitepaper for crvUSD, its new stablecoin, raising a few eyebrows regarding the timing of the announcement. The largest wave of liquidations — requiring bots to repay Eisenberg’s CRV loan to receive the USDC collateral at a discount — began before CRV’s leg up from $0.6 to $0.7, and took over 45 minutes to complete because of a lack of CRV liquidity on Ethereum DEXs.

When the dust cleared, Aave was left with 2.64mn CRV tokens, more than $1.5mn USD, in bad debt. Had there been more CRV liquidity on Ethereum DEXs it is possible that liquidations could have been more efficiently processed and Aave may not have suffered any loss.

Given that we don’t have insight into Eisenberg’s CEX accounts, it’s impossible to know the true goal of these transactions and whether or not it was profitable. As detailed here, the original exploit he alluded to involved pumping the price of an illiquid token, and it’s possible that he took a long CRV position on a CEX.

What’s Next for Lending and Borrowing Protocols?

Kaiko Research has written extensively about the lack of liquidity across markets, on November 17 noting that Aave “paused borrowing of certain tokens, including BAL, BAT, CVX, DPI, REN, and ZRX. However, it still allows for borrowing of 1INCH, CRV, ENJ, ENS, MANA, SNX, UNI, and YFI. 2% market depth for all of these tokens has been cut in half, making them all significantly easier to manipulate and increasing the risk for any DeFi protocol offering lending, borrowing, or leverage on altcoins.”

Following the exploit, Aave took action to freeze many assets, including CRV, YFI, LUSD, and MKR. Governance then passed a proposal to unfreeze and instead pause borrowing (while still allowing them to be used as collateral) of CRV, 1INCH, sUSD, GUSD, USDP, LUSD, DPI, and MKR.

Taken together, all of the assets that Aave has paused or frozen have accounted for just over $1.6bn of borrows YTD.

For context, borrows of USDC alone had hit $1.6bn by the end of January. YTD, over $13bn of USDC and close to $9bn of ETH have been borrowed from the protocol.

So, while it may seem concerning that so many assets are being paused on Aave V2, these lower liquidity assets are not that important to the protocol from a pure numbers perspective.

Additionally, it appears that Aave V3 will be rolled out in the next few weeks. V3’s technical paper lays out a number of features, including Isolation Mode. This means that if a user supplies a token which has been designated for isolation, they will not be able to use any other assets as collateral and will only be able to borrow stablecoins up to a debt ceiling determined by governance. This would not have prevented the most recent exploit, but will allow for easier, and hopefully safer, listing of more volatile assets.

As far as risk management goes, V3 will enable Aave governance to create borrow and supply caps for assets and reduce the borrowing power of any asset. As discussed above, stablecoins are the most popular borrowed assets on Aave, and borrow limits likely won’t be as restrictive on USDC, USDT, and DAI due to their lower volatility and higher liquidity. The limits introduced should be more effective at preventing exploits related to riskier, less liquid assets. It will also allow governance to put an entity (a DAO, for example) in charge of a certain asset, enabling it to change risk parameters without having to take an Aave governance vote.

Thus the pausing of assets on Aave V2 serves a dual purpose: reducing risk and preparing users for the transition to V3. While there will surely be vulnerabilities in V3 that will be exposed as exploits become even more sophisticated, the new risk management features should eliminate the attack vectors that have been exposed in recent months.