We verified historical events that have resulted in a loss of funds from decentralized banking protocols and would like to emphasize the following two major operational risk event types:

• Oracle manipulation flash loan attacks. In these attacks, malicious attackers use liquidity from flash loans to manipulate the price of an asset on pricing oracles used by a lending protocol. This enables the attacker to take out an under-collateralized loan on a protocol. Even though the collateral is lost, the lending protocol still loses money because of the under-collateralized nature of the loan.

  Based on historical events, flash loan attacks can steal up to 2.3% of the total value locked of the protocol.

• Smart Contract Bugs. In this instance, an individual with an in-depth understanding of smart contract logic can find and exploit a vulnerability in the protocol.

  Based on historical events, Smart Contract bug exploits can steal up to 4% of the total value locked of the platform

The potential risk of these events as of 13 October 2021 is shown below (Table 5 and Table 6).

Table 5 - Major Operational Risk Event Types for AAVE Protocol

Table 6 - Major Operational Risk Event Types for Compound Protocol

The risk can be mitigated by diversification of the market data sources and collateral base. In both cases, Aave is perceived to be better positioned due to having access to having more resources to build a mitigation strategy.

Under normal market conditions, operational risk events can cause losses of up to 12% of the annual profit. For Aave this is $6.9M, and for Compound it is $3.7M.

Summary

All Crypto projects are subject to industry-specific operational risks. Flash Loan attacks and Smart Contract bug exploits are common examples. In both instances, Aave is better situated to respond than Compound due to a proportionately higher amount of assets available to respond compared to funds at risk.