A number of researchers have attempted to shed light on the catastrophic chain of events leading to the collapse of Terra’s emperor which wiped off billions of dollars from the cryptocurrency market cap, and effectively putting LUNA and UST to extinction. However, most research is scattered at best. The most comprehensive research is Nansen that provides in-depth on-chain data analysis that traces a group of attackers responsible for the depeg. Caleb & Brown analyzes the Curve’s liquidity pool along the depeg event. 0xHamZ, an enthusiastic crypto investor in Twitter, coins a theory that crypto hedge fund Three Arrows Capital (3AC) swapping huge amounts of UST in Binance caused the depeg.
We do not attempt to sketch a different narrative than other researchers. In fact, we think Nansen provided the most well grounded and comprehensive analysis with. Nevertheless, they do not provide theoretical reasoning for how a stablecoin can fail, thus non-crypto readers may have a hard time understanding the narrative. Moreover, their data source is not reproducible. Other research does provide some data source, but is not as quantitative as Nansen.
We fill in this gap by providing some theoretical background on how to attack a stablecoin in general, and how the attack to UST happens in particular. We present some fundamental problems of Terra’s protocol based on our own insights and other crypto analysts. In addition, we provide reproducible materials to replicate Nansen’s analysis wherever possible, and add extra background information to the narrative. Interested readers are welcomed to play around with the data using our code.
How to attack a stablecoin?
We explained in detail the concept of stablecoin and how it works in this article. Essentially a stablecoin delivers a promise to exchange the stablecoin token to US dollar at the 1:1 exchange rate. The stablecoin will live to serve its purpose if the market believes that the issuers can fulfill the promise, and fail otherwise. In other words, its price (compared to the asset that the stablecoin is pegged to, usually USD) and existence largely follows the law of supply and demand: the demand comes from users who need stablecoin to make exchanges or stake to earn interest, and the supply comes from the protocol of issuers. When the trust in the stablecoin erodes, the demand for it falls, and for given supply scheme the stablecoin's price will decrease i.e it loses the peg. Recovering the peg requires the issuers to regain the trust from the community, or to change the supply scheme. The latter is particularly difficult because the point of deploying a decentralized network is to have a decentralized autonomous organization (DAO) responsible for transparency and democracy of any change to the protocol, and changing the supply scheme will further erode the community's trust.
In practice, the arrival of DeFi introduces the concept of stablecoin liquidity pool where stablecoin can be exchanged at 1:1 rate with other stablecoin. 3pool is a prominent example. At the time of this writing, 3pool’s reserve is approximately $1B, consisting of 20% DAI, 20% USDC and 60% USDT. One can then go to the pool and swap one of the three stablecoins to another stablecoin listed in the pool. The liquidity pool is the market for stablecoin.
But what about the exchange rate? The exchange rate for such trade is determined by the proportion of each stablecoin in the pool. However Curve designs the pool in a way such that, when the proportion of one coin is not “too” different from the swapped coin, then the ratio will be close to 1:1. In the example above, even though DAI consists of only 20% of the pool (which means that DAI is relatively scarce), it can still be swapped for USDT (which accounts for 60% of the pool so it is relatively abundant) at a 1:1 exchange rate. However this will not be true if the proportion of USDT increases and passes some threshold, say, 80%. In this case the protocol will say that USDT may not be stable anymore, and it will adjust the exchange rate so that 1 USDT can be swapped for less than 1 DAI. In other words, the stablecoin will be depegged if the ratio between two stablecoins in the pool falls below a threshold.
Snip from Curves "Risks" page
We particularly mention Curve’s 3pool because it is the largest multiple-stablecoin pool at the time of this writing. Standard pools usually consist of 1 pair of tokens (for example, USDT-USDC, or USDT-ETH). An obvious comparative advantage of 3pool is the deep liquidity, which allows users to swap million dollars of stablecoins without any centralized authorities, but it can also be the point of attack: if most stablecoin is swapped out of the pool, that stablecoin will depeg.
How to defend against an attack on a stablecoin?
The depletion of liquidity of the stablecoin in siege triggers a depeg, and an apparent defense would be to remove or “burn” the attacked stablecoin in the pool. In economics, an attack is equivalent to the decrease in demand for the stablecoin, which can be counteracted by artificially lowering the supply.
Such defense can be costly, depending on the pegging mechanism of the stablecoin. In the case of Terra, burning UST comes at the cost of expanding the supply of LUNA. Essentially it means that the protocol “incentivizes an increase in the price of UST at the expense of the decrease in the price of LUNA”. To better understand the narrative, we first brief through how LUNA/UST works, and discuss the fundamental problem behind the algorithm.
How does UST pegging work?
The system relies on traders burning or creating tokens for arbitrage profit to maintain its peg to the U.S. dollar. Every time a UST token is minted, the equivalent of $1 in market price in LUNA is burned, and vice versa. So when the price of UST drops below $1, traders are encouraged to burn UST, or remove it from circulation, and receive Luna tokens at a discounted rate. Because there is less UST in circulation, the price should theoretically go up toward $1 again, maintaining the peg.
If the price of UST exceeds $1, traders are incentivized to burn $1 worth of LUNA in exchange for 1 UST (which is worth , which increases its supply and theoretically will eventually drop the price back to $1.
Fundamental problem/risks behind UST algorithmic pegging
UST leverages on algorithmic pegging to establish its firm position as a decentralized stablecoin. Such departure from the traditional pegging method raises several fundamental risks:
In theory UST is not backed by any particular asset. In practice, UST is backed by Luna Foundation Guard (LFG), a nonprofit organization. In February 2022, the LFG raised $1B in Bitcoin in a private token sale to safeguard UST against market instabilities. The LFG’s reserve is a basket which includes BTC, AVAX, LUNA, USDC, USDT and UST. The fund will be used to purchase back UST whenever Terra needs to lower the supply.
Because the reserve consists of cryptocurrencies, its value is inherently comove with the crypto market. Such correlation can be a double-edged sword to the stability of UST: when the price of Bitcoin goes up, the reserve’s valuation also goes up, giving the protocol thicker buffer against attack; but the reverse is also true: confronting an attack during the crypto’s downturn, the LFG will have less money than it thought it might have to defend against the attack. Moreover, the attack would trigger LFG to sell its crypto for stablecoins to balance the proportion of UST in the 4pool, in turn deepening the bearish cycle of the cryptomarket.
Publicity of the LFG’s reserve as a Achilles’s heel
The LFG publicly announces its reserve, which freely gives away an opportunity for attackers to estimate how much money is needed to break down the protocol. As a simple example, suppose that the reserve is valued at $1B, then theoretically attackers would need to chip in more than $1B to bring the system down. In practice, they need less than that because of the “death spiral” triggered by an initial attack, which we explain in detail in the next section.
As previously stated, UST has no genuine collateral supporting it. Instead, by arbitraging any deviation from parity, an active network of validators and market participants preserve its peg.
Because 1 UST can be exchanged for 1 USD worth of LUNA, UST is also considered a liability for the Terra ecosystem (and vice versa). Thus there is a loophole in balancing the reserve between LUNA/UST.
This raises the typical concerns of Death Spiral based on Swissborg’s analyst
Sources: illustration by Jose Maria Macedo of Delphi Labs
The first two scenarios present the Death Spiral: if UST depegs, the protocol will contract the UST supply, and more LUNA will be minted. In turns, LUNA will lose value, and the community will sell more UST worrying that UST will lose the peg. The loop continues indefinitely.
Looking at scenario 3, in order to prevent the Death Spiral, $UST should be able to redeem to $BTC to reduce the impact directly on $LUNA, but this was never tested before the depeg event.
Another concerning risk lies on the Anchor Protocol, a Terra ecosystem lending and borrowing protocol, with 19% APR on lending but only roughly 7% interest rate on borrowing. Essentially it means for every dollar that Anchor Protocol receives, it has to bear a 12% loss on interest rate, IF every deposited UST is lent out. In practice, the amount of deposited UST is always larger than the UST lending out by the protocol, resulting in the Anchor Protocol carrying significant interest rate loss. Such practice is prone to collapse at best.
There are also inherent risks such as technical risk, and security risk like all stablecoins or other cryptocurrencies, which haven’t been found to be relevant with this depeg event.
Narrative of the attack on Terra’s UST
Prior to the attack, Curve had a UST-3pool (i.e 4pool) that allowed UST to be swapped for USDC / DAI / USDT. According to Nansen’s analysis, it is the starting point of the attack as they identify a group of attackers who swap a huge amount of UST to other stablecoins in the pool. The group prepares the UST by withdrawing from the Anchor Protocol prior to 7 May.
One may raise a question whether the swap in 4pool is actually a coordinated attack on UST, or simply an individual panic triggered by the first attacker. Similar to Nansen’s narrative, we believe that the former is true because of few reasons:
- All members of the group withdrew UST from Anchor Protocol prior to the attack, which signals that they coordinately prepare for the attack.
- There was some taunts between Do Kwon, the Terra founder, and crypto traders all around:
- March 14: A crypto trader, Algod, makes a 1 million dollar bet that the price of LUNA will be lower one year from now at the time of the bet. Do Kwon accepted the bet.
- March 15: other crypto traders joined the bet and raised the stake to $22M.
3. The aggregate UST swapped at 4pool on 7 and 8 May made by the group amounts for more than X% of the total UST swapped in that timeframe. Such a proportion is too big to be considered an individual panic.
We follow Nansen’s analysis closely in breaking down the chain of events that leads to UST’s depeg. We contribute to the narrative by providing reproducible materials that allow interested readers to verify and investigate the narrative on their own. Furthermore, our analysis reconfirms Nansen’s narrative whose on-chain evidence is not available to the public. The drawback of our analysis is that some information in Nansen’s publication is not obtainable from public data sources.
Initial attack on Curve’s pool:
Dumping UST on 3pool is the most efficient and profitable way to destroy the peg. The deep liquidity in 3pool allows the attackers to swap enormous amounts of UST to other stablecoins. On the other hand, the swap is effortless and decentralized which retains the anonymous nature desired by the attackers.
We query data from Dune, a crypto analytics that allows querying on-chain data. Reproducible materials are in the hyperlink.
We start by plotting the cumulative UST flowing into the 3pool, which apparently increased over time from the period December 2021 to early May. When zooming into May 7 and May 8, the figure is almost identical to Figure 5 in Nansen’s analysis. The total net inflows aggregated over May 7 and 8 is $1,031M. Looking at the bigger picture, we can see that UST flow increased steadily from early January, reaching the peak of $700M in early May. There are some periods where the cumulative UST falls such as early March and late April, but it recovers rather quickly.
We then break it down to the top 10 contributing wallets, and then compare it to Nansen. We can see that out of 10 wallets, 9 wallets are matched (even though the order is slightly different). Furthermore, the inflows statistics are matched exactly. Wallet x000f7f22bfc28d940d4b68e13213ab17cf107790 is the only outlier and it is nowhere to be seen in Nansen’s analysis.
Looking at the timestamps of net flows, we noticed that most of these wallets execute the swapping attack at almost the same time, between 2022-05-07 15:00 and 2022-05-07 21:00. For that reason, we lean towards the theory that this is an organized attack on Terra.
Curve’s pool distribution:
We plot the distribution of stablecoins inside Curve’s pool overtime to illustrate how the liquidity depletion occurs.
The proportion of UST and USDC/USDT/DAI balance is close to 1:1 and quite stable from the beginning. There are some periods where the UST proportion is slightly below the other pool though such as early March and late April. The striking period is 7 May where a huge amount of UST is swapped for other stablecoins and removed from the pool, causing a huge liquidity deprivation. After that, 95% of the pool consists of UST, and then only UST remains in the pool.
There exists in parallel another 4pool consisting of UST and USDC/USDT/FRAX. However this liquidity pool is only a few million dollars deep so we do not think it is relevant to the attack, especially considering the amount of UST swapped at the 3pool. However for the sake of completeness, we plot the distribution of 4pool below
The proportion of each stablecoin in this pool is relatively stable until May 8th where UST starts to overwhelm other coins. This graph reinforces our theory that the attack on 3pool initiates the whole catastrophe
From Ethereum and Terra, from Anchor to Curve
UST is a token issued in the Terra chain, but Curve protocol is built on Ethereum. Therefore one needs to bridge UST tokens between two chains to execute the swap. There are two ways to do so: either via Wormhole or via an exchange (either decentralized or centralized). Technically when one transfers UST from Terra to Ethereum, he first sends the UST to Wormhole, from which the UST will be “locked” inside Wormhole, and then Wormhole will issue a “wrapped” UST in Ethereum blockchain to the Ethereum address of the sender. Exchanges follow a similar process, but the point of bridging is much more ambiguous than Wormhole which makes it almost impossible to match wallets.
Moving to Anchor, it allows investors to stake in UST to earn a whooping interest rate up to 20%, which is much higher than other stablecoins in all lending and staking protocols. A profit-maximizing attacker would likely stake the UST at Anchor protocol first, and then withdraw the UST in advance to prepare for the attack. We track the UST withdrawals from attackers’ wallets to verify this narrative by on-chain evidence.
The matching process is as follows:
- For each wallet in the table above, we trace its activity from 1 March to 11 May and find the top 3 transactions receiving UST from Wormhole to Ethereum’s wallet. Code can be found here.
- We then follow those 3 transaction IDs and find Terra's wallets that send the similar amount of UST to Wormhole.
- If we spot 1 transaction (or more) that goes from Terra to Wormhole, and the same amount goes from Wormhole to Ethereum, then we can infer that two addresses in two different chains belong to the same person
We present the result in the table below:
The matched transaction amount, transaction hash and timestamp can be found here. Code generated the data for outflows from Anchor can be found here.
There are four wallets (in red) that use centralized and decentralized exchanges to perform the bridge, so we cannot track down their Terra address. The top three wallets (from top to bottom), these wallets interacted with 1inch DEX, Exchange Proxy Flash Wallet and Paraswap v5: Augustus Swapper. The most bottom wallet (x83a…d88e) creates a private smart contract for the swap. Nansen couldn’t provide the matching wallets as well.
For the rest of the wallets, the matching was identical to Nansen, once again varying their narrative. However, the sum of outflows is off for many wallets. For example, comparing to figure Figure 9 in Nansen, the wallet “terra1yl…t82k” withdraws $193M, whereas our data shows that the withdrawal amount is $311M.
Learning from the history, and Lesson for the future
We allude to the international trade theory to exemplify that any attempt to peg a currency to another currency is vulnerable to risks, in which a speculative attack is the most popular one. In international trade, a speculative attack is the massive and sudden selling of a nation's currency in order to devalue the currency in order to prop up its currency value. Examples include the Black Wednesday event in 1992, in which the British pound was pegged to Germany’s mark but George Soros kept shorting the pound until the U.K. central bank gave in and allowed the pound to float, and the collapse of Bretton Wood system in 1971 which ceases the convertibility of gold into dollars. In many cases, a country needs to either exhaust all the reserves to maintain the peg, or it has to give up the peg before running out of reserves. Terra chooses to save the UST, and it necessarily comes at the expense of LUNA and the LFG’s reserves. However, the UST algorithm is dependent on LUNA, thus its collapse eventually takes down UST as well. This is an inherent problem of Terra’s protocol in particular and any algorithmic stablecoin in general.
In conclusion, while we do not take a firm stand on the point of UST’s failure, it is evident that Terra had a number of fundamental risks that could be exploited, they were exploited. Do Kwon still has lots to do if he wants to regain the trust from crypto community.