Looking at Iron Finance's Failure
The failure isn’t a surprise, but the speed of the failure is
Iron Finance’s partially backed stablecoin IRON has failed. It shouldn’t be a big surprise that IRON was unable to hold its peg with the dollar. In fact I have an article I was working on that detailed what IRON is and the potential risks associated with it. In that draft, from June 6th, I was using the concept of UST and LUNA as an illustrative example of IRON and TITAN:
If there isn’t a strong demand for LUNA (TITAN), it is entirely possible that selling LUNA (TITAN) in order to purchase UST (IRON) could drive LUNA (TITAN) into the ground and never achieve parity between UST (IRON) and USD. Its not all that hard to imagine a scenario where crypto demand becomes very limited because of government bans, recessions, hacks, whatever.
In my two posts I have made about stablecoin farm rates I said:
Before investing in this LP consider the smart contract risk of a relatively new smart contract deployment, as well as the risk of IRON not being able to keep its peg.
I still think that this is a riskier stablecoin pair to be in. That hasn’t stopped me from dabbling in this pair though.
What I didn’t realize is how quickly TITAN could be driven into the ground (a matter of a few hours), and the fault for that lies 100% with Iron Finance’s incompetent team.
What happened?
There are a few theories as to what caused the TITAN/IRON meltdown, Rekt News goes with the arbitrage theory, but that is only one component of a multi-component failure.
I saw the writing on the wall pretty early on and got the small amount I had in IRON-USDC pools out around $0.96. I am not much of a high risk investor, so I only keep a tiny fraction of my defi portfolio in the juicer/riskier pools. Even so, I babysit those riskier pools pretty actively. If it looks like there is a run on a stablecoin or a some kind of hack, I pull my funds as soon as possible. After pulling my funds I continued to watch the “bank run” through the rest of the day.
Most of my IRON that I withdrew from LP’s I swapped to USDC instead of using Iron Finance’s redeem functionality, which is designed to give $0.70 USDC back per IRON and approximately $0.30 worth of TITAN. When I went to use the redeem function, I saw that it was actually giving me less overall USDC/TITAN combo than I could get from just swapping through liquidity pools.
TWAP and the redemption window
It turns out that Iron Finance had added a feature to their smart contract code that used a time weighted average price (TWAP) of TITAN to figure out how much TITAN to give in the redemption process. Although the idea of using a TWAP is a good one (it helps prevent flash loan attacks), the way it was used caused the complete failure of Iron Finance.
TITAN was falling fast enough that whenever the redeem function was calculating $0.30 worth of TITAN, it was valued in the past when TITAN was a higher USD value, giving something like $0.20 worth of TITAN but thinking it was $0.30. The result of this bad pricing actually made it so users could get a much better price through liquidity pools than through the redemption window.
The redemption window and liquidity pools are things that were actively arbitraged by automated trading bots. Bots and users could mint IRON for $0.70 worth of USDC and $0.20 worth of TITAN (a $0.90 investment) and then sell it on the liquidity pools for a higher price (I saw $0.03-0.05 gaps when I was watching), making a quick profit of 3-5%. That arbitrage process helped bring the price of the liquidity pools more inline with the redemption/minting price.
But the arbitrage itself is not what caused the total collapse of TITAN, it was the TWAP. As liquidity providers and other IRON holders began to see the rate of USDC-IRON trading way lower than it should be, they began to get nervous and to pull out funds (a classic bank run). When you are getting 60,000% APY on an investment, you should be a bit quicker on the draw when the time comes to pull out, and it turns out people were. As people pulled out their IRON and redeemed it for the IRON-TITAN combo, they typically sold their TITAN right away (who wants to hold an asset that is in the middle of a freefall?), causing more downward pressure on the price of TITAN.
The worst part about this whole design is that when you mint IRON from USDC and TITAN, the USDC is placed into a vault but the TITAN is burned (destroyed). Likewise when IRON is redeemed, USDC is withdrawn from the vault and TITAN is freshly minted (created from thin air). So when someone redeems their $0.70 USDC through the redemption window and the TWAP says that TITAN is worth $60, then the protocol mints about 0.005 TITAN. When the price of TITAN had fallen to $20, then the protocol mints 0.015 TITAN per IRON. When the price of TITAN is $0.01, that means that 30 TITAN are minted per IRON.
As TITAN kept falling and more IRON was being redeemed, more and more TITAN was being created and instantly sold. The entire process created a death spiral that left TITAN with a supply of 34.5 trillion coins, making it essentially worthless. Since IRON is in theory 30% backed by TITAN, that means that IRON took a 30% haircut and all that remains is that 70% USDC.
Polygon hit with a spam attacked on the same day?
I don’t know if I was the first to identify this, because it was obvious to anyone that has been in crypto for more than a couple days, or just the first one that thought they should help the non-technical community know what was happening, but I posted on reddit about an active spam attack happening on Polygon.
Essentially, there was an attack that had the goal of making it hard to use Polygon by spamming it with transactions and filling up every block 100% full. Since Polygon is cheap to transact on, a spam attack like this is actually relatively easy and relatively cheap. There are some users on reddit that say “these are just transactions cancelling other transactions” and things along those lines, but they aren’t. You look at the account’s that are posting these transactions, there are no transactions that ever occur on those accounts where they send any type of value (MATIC or tokens) or interact with any smart contracts, and the accounts were only active during the spam attack. The transactions were simply blank transactions that send 0 MATIC and attempt to raise the gas price of the entire network. Since Polygon has been so cheap to use, users were not used to changing gas fees (which needed to be 50+ gwei in some cases to get through), and people had a hard time getting to the exit during the bank run.
Who performed this attack? My best guess is a competitor to Polygon. Maybe one of the more established semi-centralized blockchains (who could that be?) or different smaller competitor. The attack damages Polygon’s reputation and user’s confidence in it, so its a win for a platform looking to grab some new users.
The developers and the Iron Finance team are at fault
So why blame the developers/team instead of simply the design/algorithm? Well to be clear the design and algorithm is what created the underlying problems. The Iron developers made the design worse with their TWAP code, but that’s not even why I blame them. The developers could have easily salvaged the project and stopped a large portion of the bank run, but instead chose to make everyone panic more and be left in the dark.
Iron Finance decided to just go dark. Their Discord channel, Telegram, etc were all paused so that nobody could post. This was to “stop FUD”. Uh, yeah…. that’s not how it works.
I have worked as a developer for several privacy coins. Privacy coins are prone to attacks/exploits. Privacy coins, like defi projects, are typically implementing new and untested privacy algorithms based on academic research. Both the research and the implementations can have flaws that are not obvious. Eventually an exploiter finds a flaw and uses it to their advantage somehow (de-anonymizes transactions, man in the middle attacks, inflation bugs, etc). So there are a few times I have been on the other side of the whole “community is panicking, what do we say” thing. The answer was never to go dark and leave the users clueless. Even if the team is still figuring it out, you turn that into something like “the team has identified key flaws and are taking immediate action to fix the issue” or “the fix is being implemented immediately and will be rolled out shortly, for now pause your activity with the coin”. Yeah that sucks, but at least the users know what they should do, and that the team has a fix on the way. Discord admins have to work double time to help keep the information correct, ban users that are spamming, point questions to the correct channel, etc. Going dark only makes a run worse.
The biggest issue I have with how the failure was handled is that the developers did not halt the functionality of the redemption window. Most defi projects have the ability to turn their most important features on pause. These features are done with “manager” or “admin” permissions, so they don’t have to go through a timelock to halt functionality during hacks or other issues. Apparently the developers didn’t think that this completely obvious issue with the TWAP and TITAN being driven into the ground, (an event that occurred over something like 8 hours) was worth pausing functionality to save the project. That is sort of Banking 101, when there is a run on the bank, the bank needs to implement withdrawal limits so that the initial panic of the run subsides.
If the team would have had some competency, they would have paused functionality, put out clear messaging to the community about what is happening and expected time before funds are accessible, and then fixed the TWAP logic to be able to adjust to real time conditions.
I have been in crypto since 2012, and honestly the Iron Finance meltdown is definitely on the list of dumbest events that I have watched unfold.
If I get you right, you propose the developers should have halted "the functionality of the redemption window" to try and avoid panic and somehow control the run. The point is, in my view, how does it match with the principles of (i) code is law and (ii) decentralization vs commercial bank practises...
The pause functionality could have been easily achieved when they minted 1 billion TITAN, which was supposed to be the max cap. Then no more IRON would have been redeemed and perhaps new arbitrage opportunities would have offered to mint IRON with cheaper TITAN leading to TITAN being burnt and reducing the total supply of TITAN again. Now TITAN is a meme coin. So join us on TITAN is our DOGE community, where the community will make TITAN great again: https://t.me/titanisourdoge