Comment on page
The following illustrates different types of risk that you should expect when using the Silo lending application. The list is in no way exhaustive of all risks that you might be exposed to.
You might lose funds due to:
- Unknown bugs in Silo’s smart contracts; in the scenario, smart contracts have a syntax error or fail to execute their logic as intended due to a mistake(s) related to code being written improperly.
- Silo’s smart contracts might behave as intended yet the behavior produces economic errors. In this scenario there is still a loss of funds despite the code being technically correct in what it intended to do, but the incident happened due to a failure of the contracts’ economic design.
Smart contracts are written by humans and therefore they may contain unknown bugs and produce economic errors that are inherently unforeseeable.
Oracle manipulations are a well-known risk. The oracle price is manipulated upwards such that a depositor is credited with an inflated deposit amount. This will allow the depositor to potentially borrow all the tokens from a silo without having enough collateral to cover outstanding debts in case of a liquidation. Oracle Manipulations might also lead to cascading liquidations as a result of collateral depreciating in value to a point where additional loans become undercollateralized.
The Silo protocol uses a number of price providers to read prices of token assets, including:
- Chainlink data feeds
- Team-developed price providers i.e. custom oracles
- Uniswap V3 TWAP oracles
- Balancer V2 oracles
Except for custom-oracles in certain cases, the core team has no control over oracles and cannot actively detect when oracles become vulnerable to exploits.
Example: Rari’s Fuse market exploit on pool #23 is an example of an exploit made possible due to manipulation in the price of a collateral asset. While the exploit did involve some unexpected behavior in the Uniswap V3 oracle that resulted in an inflated value of a token that was used as collateral in the Fuse pool.
Silo relies on third-party liquidators to keep its markets solvent. In other words, it’s the job of liquidators to ensure borrowed funds are paid back to depositors. If liquidators don’t liquidate under-collateralized positions, the Silo protocol will try to liquidate positions using its own liquidation bot. However, there is no guarantee that Silo’s own liquidation bot will be able to liquidate positions fast enough to prevent insolvency. In such an event, the seized collateral either cannot be liquidated due to lack of liquidity on the market or the liquidation event would result in a negative return when performed. Either events lead to borrowed loans not paid off and depositors accruing bad debt
Another risk is incurring a hefty liquidation fee. In this scenario, your collateral is seized and liquidated when your loan becomes under-collateralized, resulting in a hefty liquidation penalty. Silo uses full-collateralization liquidation where your entire collateral is given to a liquidator to sell off and pay back your loan. If your collateral is liquidated, you are only left with the funds you have borrowed.
The Silo protocol allows for the integration of different iterations of the interest rate model across different silos. For example, stablecoin silos can use a differently-configured model than that of volatile assets.
The implemented interest model might result in both known and unknown risks. Known risks include soaring interest rates as a result of critical utilization. These soaring interest rates may cause loans to be liquidated very quickly.
Unknown risks originate from the interest model behaving in unforeseeable ways, including but not limited to:
- Interest rate soar extremely quickly resulting in borrowers accruing debt fast, possibly causing liquidations.
- Interest rates are manipulated in some silos resulting in depositors collecting large amounts of interest from borrowers.
Silo’s lending markets don’t share risk, i.e. they are risk-isolated. However, one or more silos might be exposed to economic risks of a shortfall in collateral, which would leave depositors unable to collect some of all of their principal. While these collateral shortfalls could be caused by a bug in a smart contract, a common, known economic risk is collateral shortfalls related to rapid and/or large changes in the price of tokens being used as collateral.
Governance-induced loss of funds is possible. One example of such attacks is adding a malicious token asset as a bridge asset to all Silos. In this scenario, If a majority of token holders decides to vote to add the malicious token asset as a bridge, the attackers can drain funds across the entire protocol. Governance attacks are possible when a party somehow acquires enough tokens to make a malicious change through governance.
Additionally, since deploying a silo is permissionless, it’s possible to create an on-chain vote to deploy a malicious silo. If token holders vote to deploy the silo, users depositing funds into the silo can lose their funds. It’s also possible that the community chooses to deploy a silo for a known token asset that happens to be a rug project. Though flash loans cannot be performed on Silo directly, flash loans impacting our price oracles (i.e. Uniswap v3 and Balancer v2) may cause bad debt and cascading liquidations since our protocol is reliant on their price feeds.
There may be situations where a depositor’s tokens cannot be withdrawn due to high utilization of the depositor’s tokens. Front-end Bugs Users might lose funds due to exploited vulnerabilities in the security of Silo’s application, i.e frontend. This includes but is not limited to vulnerabilities in code related to libraries like Web3.js or Ethers.js that interact with smart contracts.