Short Squeeze in DeFi Lending Market: Decentralization in Jeopardy?

TL;DR

This paper analyzes a failed attack on the Aave DeFi platform that artificially deflated CRV token value, revealing vulnerabilities in large decentralized lending protocols and the trade-offs between decentralization and security.

Contribution

It provides a detailed case study of the attack, highlighting protocol design flaws and discussing the implications for decentralization in DeFi lending.

Findings

The attack caused over $1.5 million in irretrievable debt.

Large borrowing capacity of CRV enabled the attack.

Protocol design limited rapid intervention, exacerbating the impact.

Abstract

Anxiety levels in the Aave community spiked in November 2022 as Avi Eisenberg performed an attack on Aave. Eisenberg attempted to short the CRV token by using funds borrowed on the protocol to artificially deflate the value of CRV. While the attack was ultimately unsuccessful, it left the Aave community scared and even raised question marks regarding the feasibility of large lending platforms under decentralized governance. In this work, we analyze Avi Eisenberg's actions and show how he was able to artificially lower the price of CRV by selling large quantities of borrowed CRV for stablecoins on both decentralized and centralized exchanges. Despite the failure of his attack, it still led to irretrievable debt worth more than 1.5 Mio USD at the time and, thereby, quadrupled the protocol's irretrievable debt. Furthermore, we highlight that his attack was enabled by the vast proportion of CRV available to borrow as well as Aave's lending protocol design hindering rapid intervention. We stress Eisenberg's attack exposes a predicament of large DeFi lending protocols: limit the scope or compromise on 'decentralization'.