terra-money / classic-core

GO implementation of the Terra Protocol
https://www.terra.money
Other
980 stars 287 forks source link

Suggestion of safety limits on swapcoin #79

Closed Hyung-bharvest closed 5 years ago

Hyung-bharvest commented 5 years ago

Reasoning

  1. Current swapcoin function does not have any safety feature to protect from abuse or manipulation of oracle&swapcoin

  2. Lacking of safety feature might result in catastrophic minting with inappropriate exchange rates.

  3. Introduction of safety limits can restrict the magnitude of risk and gives time to prevent further manipulations.

Example of possible risk

  1. Oracle script or market price api malfunctioning which leads to huge distortion of exchange rates -> arbitrageur abuse the distorted oracle price to make huge gains from swapcoin

  2. Cartelling of oracle voters to distort oracle price resulting in execution of unfair swapcoin

  3. Instant market price manipulation leads to temporarily popped exchange ratio which might lead to excessive minting from distorted market prices.

  4. Frequent abuse of swapcoin might result in unreasonably strong dilution effect on Luna because of too much minting in short time.

Suggestion of safety limits on swapcoin

  1. 24h limit on swapcoin minting : 24h maximum amount of minting of each token by swapcoin methodology.

  2. Halt mechanism on excessive volatility of Luna : temporary(24h) halt mechanism of swapcoin method when the percentage change of oracle price of Luna in 1h exceeds certain limit.

  3. Above limit parameters should be chosen by governance voting after proper discussion and can be changed also via governance.

dokwon commented 5 years ago

This is a really good suggestion. So there are a couple of reasons why we haven't built in precautionary mechanisms into oracle/SwapCoin dynamic:

  1. The oracle at early genesis is not susceptible to collusion. Terraform Labs controls a significant portion of Luna, so its price feeder will be the singular source of truth for the oracle for the first few months. We've built in multiple layers of redundancy into our price oracle, so we didn't think influencing one or even several of these sources would distort the oracle in any meaningful way.

  2. Even if our pricefeeder were to be DDoSed, the price oracle simply deprecates a Terra currency (halts market swaps) once a liquid market vote is failed to be reached for 15 mins * 10 = 150 minutes. So in some sense, we do have a liquidity protection.

Our goal has been to build in additional layers of protection for the oracle from v1 as the network becomes more and more decentralized. Having said that, I can think of the following solutions to be fairly straightforward pre-launch modifications:

  1. Only allow 1% of current Luna cap to be swappable in a 24 hr period (daily luna inflation capped at 1%).

  2. Add a trading spread to the market (widen spread for trading pairs with extremely high volume)

What do you think?

Hyung-bharvest commented 5 years ago

Great to hear that the team cares about the risks.

I agree that both 2 plans suggested will significantly reduce the risk of abuse.

For #1, 1%(365% annualized) seems quite high. The community and team should response quickly to raise governance proposal on reducing the limit when excessive minting of Luna happens on mainnet. To prevent such instant abuse, 0.05% per 1h seems much more prudent than 1% per 24h.

I think 150minutes for safety halt will not be able to effectively prevent short term market price manipulations. And oracle cannot recognize which market price is by intentional purpose. 0.05% per hour rule can prevent such one time high volume minting risk. But still I think reducing(or unabling) swapcoin function during high volatility of each token is the ultimate solution. It can be discussed after mainnet I think.

Arbitrageur's profit should not significantly exceed the cost of price manipulation. A lot of global hedge funds are very good at exploiting such structural flaws with enough capital and human resources to hire. And we should keep in mind that because majority of dPoS tokens are at stake, there are much less liquidity in the market than other tokens, meaning easier market price manipulation(even sometime with less than 0.1% of total supply, especially in sleeptime of KR timezone I expect.)

I think the stability functionality of Terra blockchain is at very high risk of abuse and it never can be cautious enough. I hope Terra be launched with as conservative environment as possible, and loose the environment gradually when market and community matures.

dokwon commented 5 years ago

I think even a 1% ceiling is too tight for the stability mechanism to work well; keep in mind that central bank interventions in fiat forex markets can go well into the single digits of reserves daily in volatile situations. It is not reasonable to give the Terra stability mechanism fewer levers to play with at genesis compared to a fiat currency.

Furthermore, a 1% daily inflation ceiling should not be extrapolated to present a doomsday scenario of 365% annualized Luna inflation. The chain was NOT designed to withstand a yearlong oracle attack (should any chain survive a sustained governance hijack without a fork?), and barring such a scenario, oracle failures will likely be short term and intermittent. Luna supply will increase and decrease through those cycles, and even in bear cases our simulations have shown the stability mechanism to be robust here.

There is a fundamental tradeoff in Swapcoin liqudity and the robustness of the stability mechanism. The balance is delicate, and should not be struck lightly! ;)

Hyung-bharvest commented 5 years ago

I dont believe any central bank use as much as 1% of their total fiat supply in one day to stabilize fx rate. If a central bank have to use 1% of total supply, it can be believed that the currency is already out of control.

I think Terra token issuance speed is one of the crucial factor to defend its stability. If the stable coins are minted too fast, Luna will lose the control of stability.

I also remember there is no roadmap on limit of issuance of terra tokens. It should be grown very slowly to mitigate the liquidity power of Luna to absorb volatilities from the terra tokens. Confidence of control by luna and minting of terra tokens should step together I believe.

My suggestion of 0.05% per hour is aligned with 1% per day limit. (0.05% × 24 = 1.20%) Please consider the option too.

Please remind that B-Harvest is a team with long financial background with very conservative philosophy. We think current structure has very weak points from attack vectors. Hope more community members join to this discussion.

Thank you for your kind reply dokwon. We appreciate it.

dokwon commented 5 years ago

Central banks never use their own fiat currency to stabilize forex rates; that is a self defeating proposition. They use debt (interest rate levers) and immediate collateral (forex buffers), which Luna exactly is: Luna is a mix between Treasury bonds and forex reserve assets. There are often rapid depletions of sovereign forex buffers in volatile markets; see Saudi Arabia. Given the Terra economy will likely be much more volatile than a fiat economy at genesis, we need to give it greater interventionary levers to combat such volatility. Happy to have a long discussion re: macroeconomic intervention tools, but a github issue a week from launch is not the best place to do that.

Hyung-bharvest commented 5 years ago

I agree. If team can apply 1% per 24h limit in near future, I believe it is definitely good enough for now. We can discuss it later after successful mainnet launch!

Thank you for feedback!

dokwon commented 5 years ago

@dlguddus see #89. Comments are appreciated!

dokwon commented 5 years ago

Closing for now; as mentioned, 1% inflation cap for Luna built in to protect arb spreads. Will reassess post v-1 lauch.