feat: Add Liquidation Price into top Calculation (SC-6715)
#158
Conversation
src/dog.sol
Outdated
| @@ -176,6 +180,7 @@ contract Dog is LibNote { | |||
| id = ClipperLike(milk.clip).kick({ | |||
| tab: tab, | |||
| lot: dink, | |||
| lip: div(mul(art, rate), ink), | |||
There was a problem hiding this comment.
I think in principle we could save some gas here by doing:
due / dink
dink is required to be non-zero above so we don't need the safe division, and due / dink should have approximately the same value as art * rate / ink. I don't see any additional precision concerns there under normal risk parameter conditions, given the dust checks.
|
It looks like there's sufficient coverage for both code paths in the tests, although I think it would be nice to add two new tests that explicitly document the intended behaviors--one for a steeply declined or zero OSM price that uses the liquidation price, and one for a case that should use the OSM price instead (e.g. an underwater Vault). |
|
Used |
| @@ -176,6 +180,7 @@ contract Dog is LibNote { | |||
| id = ClipperLike(milk.clip).kick({ | |||
| tab: tab, | |||
| lot: dink, | |||
| lip: due / dink, | |||
There was a problem hiding this comment.
I feel something is wrong with this math and the logic. Having a better collateralized CDP means a lower starting price. So let's say the feeds report a lower price than the real, a well collateralized CDP will be much more punished than one that's really underwater.
I feel the starting price should somehow be related to the inverse of the due/dink.
There was a problem hiding this comment.
There's no way for the auction contract to know, fundamentally, whether the feeds are wrong. The goal is to have some sort of fallback to a saner price if the feed price is super low. Even without this change, a very low oracle price punishes well-collateralized CDPs more (it's always worse to get liquidated if you have higher collateral/debt). Using liquidation price, corrected for mat, as a floor acts to make the worst-case less bad. Better to be liquidated at a low price than zero. I.e. this PR never makes the starting price any lower than it otherwise would, so it's still a strict improvement.
IMO it may be better to just invest in making the oracles more secure than trying to get extra clever here, although if you have any good ideas let's hear them :).
There was a problem hiding this comment.
I agree with @kmbarry1 that in an oracle attack scenario this outcome is strictly better than not having lip. I'm okay with leaving as is, otherwise we might introduce some unnecessary complexity.
There was a problem hiding this comment.
Couldn't it happen that a very underwater vault won't be auctioned because the initial price is too high due this function?
I guess in that case it could be reset after the first cycle, which at least for now is not using this liquidation price.
Which btw, shouldn't we consider using it in the reset function somehow as well?
There was a problem hiding this comment.
Yes so this is something I wanted to bring up. I wasn't sure if we wanted to use it in the reset function, because then the auction's tops will never decrease during reset which would be bad in a scenario of a steep market decline. However if there was an oracle attack and no one bid on a CDP that was really expensive for example (highly collateralized), then on reset that price would go to zero.
There was a problem hiding this comment.
Hmmm you mean highly underwater, right? As if the CDP is highly collateralized, the liquidation will start at a lower price.
But yes, to your point, not really sure what to do with reset, as the same logic than in the originally liquidation would apply here, however the full property of reset wouldn't work if we do this.
I think these are the reasons why I feel this functionality is a bit forced.
There was a problem hiding this comment.
Yes sorry that's what I meant. And I do think that governance param solution could work for the reset, definitely open to other ideas though. I'll actually do a quick implementation of what I'm suggesting in the next commit.
There was a problem hiding this comment.
It might be interesting to do:
RESET_PRICE = max(buf*OSM_PRICE, PCT*top)
where PCT is the new gov parameter encoding the largest allowed (percentage-wise) decrease in top.
There was a problem hiding this comment.
Thats actually what I just did! In the last commit.
sales[id].top = max(
rmul(sales[id].top, lop),
rmul(rdiv(mul(uint256(val), BLN), spot.par()), buf)
);
I made lop directly multiply instead of doing sub(RAY, lop) (E.g. 25% decrease => lop = ray(0.75 ether)). I did this because if lop isn't set for whatever reason it will just be zero, so it won't be considered in the equation. This is IMO better that it working out to be 1 if its not set, which will just set it back to the old top.
There was a problem hiding this comment.
Yep, that's what I had in mind.
|
Made requested changes by @gbalabasquer.
This is an interesting point... |
|
How do we feel here? Pros:
Cons:
Did I miss anything? IMO it comes down to how likely you think an oracle attack is--we know it's a very severe outcome, but also unlikely, so is it worth the downsides above? |
This might be over complicating things, but we could have an instant access module that could modify a boolean in the case of an oracle attack to use the liquidation price in that scenario: However this still requires us to calculate and pass in |
Hmmm but how would that IAM would be executed and under which rules? I think at that point yes, we would be over complicating this too much.
I would feel much better about it if we had a system that protects more to the cdps that are more collateralized than the exact opposite which it is doing now. |
|
Definitely agree with Gonzalo that assuming an IAM on top is excessive, complexity-wise. I'm a little more ambivalent on whether this is worth it. I guess it probably needs a more exhaustive analysis of how an oracle attack would be likely to play out (against one, several, or all collateral types) to figure out exactly how much help this would be. Which, given how close we are to freezing the code, means maybe we should put this aside for now and instead examine it as part of the audit process. If a clear case emerges for needing some mitigation, then we can revisit it. Btw Gonzalo, I've tried to think about how to address your concern (the fact that it works worse for better-collateralized Vaults) and I think that could end up being very messy, without any trustworthy price oracle... |
|
@kmbarry1 so should we close this PR or leave it open you think (if we are going to reexamine during the audit process, which I agree is a good idea)? |
Hmmmm, maybe we'll close it for now so no one accidentally spends time reviewing when there are more important tasks? PRs can always be re-opened. |
|
closing for now |
Adding this PR to start a discussion about adding the liquidation price (
(art * rate / ink) * mat) into thetopcalculation.