You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $20/month you can upgrade to our FULL library of 50+ reports (including this one) and complete industry-leading analysis on the top crypto assets. 

Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:

• Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
• Early access to future CORE ratings: Being early is sometimes just as important as being right!
• Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
• CORE report Audio playback: Don’t want to read? No problem! Listen on the go.

General Borrow/Lending Risks

Lending and borrowing-based DeFi protocols are vulnerable to a number of attack vectors. Here are some ways that lenders and borrowers can lose out:

Lenders

• Bugs that enable the principal due to reduce (possibly to zero) without making any payments. This can happen if there is a bug in the smart contract that allows the borrower to reduce the principal balance without making any payments.
• The buyer's collateral cannot be liquidated when the loan is not paid back or the collateral drops below the threshold. This can happen if there is a bug in the smart contract that prevents the protocol from liquidating the collateral when the borrower defaults on the loan.
• If the protocol has a mechanism for transferring debt ownership, this could be a vector for stealing bonds from lenders. This can happen if there is a bug in the smart contract that allows an attacker to transfer debt ownership to themselves without the lender's consent.
• The due date of the loan principal or payments is improperly moved to a later date. This can happen if there is a bug in the smart contract that allows the borrower to extend the due date of the loan without the lender's consent.

Borrowers

• A bug where paying back the principal does not lead to principal reduction. This can happen if there is a bug in the smart contract that does not correctly update the principal balance when the borrower makes a payment.
• A bug or griefing attack prevents the user from making payment. This can happen if there is a bug in the smart contract that prevents the borrower from making a payment, or if the borrower is the victim of a griefing attack.
• The principal or interest rate is illegitimately increased. This can happen if there is a bug in the smart contract that allows the protocol to increase the principal or interest rate without the borrower's consent.
• Oracle manipulation leads to devaluing the collateral. This can happen if an attacker manipulates the price oracles that the protocol uses to determine the value of the collateral.
• The due date of the loan principal or payments is improperly moved to an earlier date. This can happen if there is a bug in the smart contract that allows the protocol to move the due date of the loan to an earlier date without the borrower's consent.

Both lenders and borrowers

• If collateral is drained from the protocol, then both the lender and borrower lose out, since the borrower has no incentive to pay back the loan, and the borrower loses the principal. This can happen if there is a bug in the smart contract that allows an attacker to drain the collateral from the protocol.

As you can see, there are a number of ways that DeFi protocols can be hacked. It is important to be aware of these attack vectors and to take steps to protect yourself when using DeFi protocols.

Compound III

Compound III launched in Q2 2022 with an emphasis on security and enables the creation of independent markets on the mainnet and layer-2s (L2s). The primary difference from the previous version is that now users can only borrow the base asset, USDC, and cTokens, the yield generating derivates of crypto assets on v2, have been removed. Compound III excels at catering to single-borrow use cases, establishing a more conducive market for these applications. In III, a user's collateral is illiquid and cannot be withdrawn by other users except during liquidation. The initial deployment of Compound III is on Ethereum. 

Compound V2 utilized a pooled-risk concept in which any asset may be borrowed. In this system, the protocol is only as secure as the most vulnerable collateral/token. A single poor asset might deplete the entire protocol. Currently, the majority of lending protocols, including Aave, function in this manner.

The evolution from a pooled risk model to a base asset model underscores another pivotal development in the narrative of Compound III. In the former model, the entire protocol is susceptible to the weakest asset in the pool. The shift to the base asset model, where only a single asset can be borrowed, bolsters security and heightens capital efficiency. This is enabled by the protocol's capacity to precisely price risk by anticipating the asset that will be borrowed and the collateral against which it will be leveraged.

The enhanced security on Compound III comes at a cost as collateral will no longer earn interest. The only purpose to provide collateral is to obtain credit/take out a loan. On the other hand, users can earn interest by providing the base asset with less risk.

Compound III has been constructed on a code base that is substantially simpler and smaller than its predecessor, Compound V2. This strategic decision was undertaken to diminish smart contract risk and render the protocol easier to comprehend, maintain, and audit.

The rise in Layer-2 solutions possessing robust decentralized finance (DeFi) environments is noteworthy. Launching on Layer-2s can expand the protocol's reach to include a greater number of unique addresses interacting with it in smaller quantities. This is due to the reduced costs on this layer compared to the mainnet, which is often monopolized by larger players or "whales". The introduction of Compound to Layer-2s can extend its accessibility to users with smaller positions, commonly referred to as retailers.

The growing consensus among industry insiders, including figures such as Vitalik Buterin, views Layer-2s as the default execution layer for all crypto-related activities. In this vision, Ethereum primarily functions as a settlement or consensus layer. This direction appears to be the trajectory of the ecosystem, with a greater number of transactions transpiring on Layer-2s like Arbitrum and Ethereum predominantly employed for transaction settlements.

Once the Compound contract has been deployed, a proposal for market launch is formulated. This process typically involves seeking governance's approval to trigger the market, which might include seeding the market's reserves, establishing supply caps, and defining interest rate values. Recommendations for safe parameters for these values and assets are provided by Gauntlet, a risk management platform for blockchain and DeFi.

Following these steps, the community is entrusted with voting on whether to initiate the proposed market. If the vote is affirmative, the proposal is transmitted to the new market and subsequently launched. This encapsulates the processes leading to the unveiling of a new market in the realm of Compound III.