The Detailed Process of the 2022.10.28 Attack on Deri Protocol

On Oct 28, 2022 (UTC time), an attack took place on Deri Protocol’s trading pool on Arbitrum. The attack was done with two associated accounts, A (0x09ca80536f5aa6f04a8170D44aAf9fdfDD1e228d) and B (0x2443506117e03136727E394F85B5b0797A3E0477). Below is the detailed procedure of this attack.

1. At UTC 10/28/2022 10:56, the attacker added margin to these two accounts, 750 and 16 USDC respectively.
2. The attacker took turns to gradually establish large opposite positions on option BTCUSD-40000-C for these two accounts, by trading a relatively small volume for each turn. In each turn, the attacker first used account A to buy a small volume of BTCUSD-40000-C, which pushed the mark price up a little bit; immediately after A’s trade, the attacker used account B to sell the same volume, bringing the mark price back.
3. Due to the extremely low margin requirement for far OTM (out of money) options on Deri Protocol, the attacker repeated the previous turn hundreds of times and eventually opened a huge long position for account A (notional=100,192 BTC), and a huge short position for account B (notional=-96,940 BTC). This process finished at around UTC 10/28/2022 12:42. At this point, account A had fully utilized its margin (i.e. at its max leverage).
4. With everlasting options’ funding mechanism, A is continuously paying funding fees to B. The attacker accelerated this process by making A’s volume larger than B’s, which caused a positive net volume pushing the funding rate even higher. With this set-up, account A kept paying funding fees as time went by, so it would very likely get liquidated unless BTC price kept going up.
5. At 10/28/2022 17:51 UTC, when BTC price went down and brought account A under maintenance margin, it got liquidated. The liquidation caused a massive sell (notional=100,192.4024 BTC ), which dragged the mark price below zero (there is no negative price limitation during liquidation). Account A would theoretically lose around 144,000$ in this liquidation. However, it only lost the original margin balance.
6. Immediately after the liquidation of A, the attacker closed out the short position in B, resulting in a larege profit, around 144,000$. Theoretically, B’s profit came from A’s loss and the pool would have a close-to-zero net PnL. However, since the loss of A is bound by the margin balance and thus cannot be fully realized, the pool ended up with a net loss.
7. The attacker took the profit from B and finished the attack process.
8. For this attack, the attacker added 766 USDC as margin, and finally withdrew 144,388.569237 USDC out of the pool, resulting in a net profit of 143,622.569237 USDC.

About Deri Protocol

Deri, your option, your future!

Deri is the DeFi way to trade derivatives: to hedge, to speculate, to arbitrage, all on chain. With Deri Protocol, trades are executed under AMM paradigm and positions are tokenized as NFTs, highly composable with other DeFi projects. Having provided an on-chain mechanism to exchange risk exposures precisely and capital-efficiently, Deri Protocol has minted one of the most important blocks of the DeFi infrastructure.

Website | Twitter | Github | Telegram| Discord