[en] Empty Market Attacks
In the DeFi lending ecosystem, Compound V2 established a benchmark that countless forks have followed. However, inheriting its base code without deeply understanding its nuances can leave open doors for specific attacks. One such exploitable vector—known as the “Empty Markets Attack”—has impacted Compound V2 forks like Hundred Finance (in April 2023) and Midas Capital (in June 2023, on the BNB Chain). These exploits allow attackers to manipulate the exchange rate in markets with zero or extremely low liquidity, resulting in oversized loans and massive fund drainage.
Context and Attack Vector Dynamics
Compound V2 provides a lending/borrowing model where users deposit assets and receive cTokens as receipts for these deposits. Using these cTokens as collateral, they can supply liquidity or take out loans. The exchange rate between cTokens and the underlying asset is dynamically calculated as:
Exchange Rate = (totalCash + totalBorrows - totalReserves) / totalSupply
Under normal conditions, totalSupply reflects the total amount of cTokens issued. However, if a market is nearly empty (with totalSupply ≈ 0), this formula becomes unstable. An attacker needs only to “donate” assets directly to the protocol contract (inflating totalCash) to artificially boost the exchange rate. This inflated exchange rate drastically increases the collateral’s perceived value, allowing the attacker to take out much larger loans than they should be able to.
The Hundred Finance Case
In the April 2023 exploit of Hundred Finance (a Compound V2 fork), the Forta Network observed a malicious contract created about 44 minutes before the attack. The attacker:
- Creates and funds a borrower contract with initial capital.
- Mints cTokens in an empty market and redeems most of the newly created tokens, retaining a small number of cTokens as collateral.
- Performs a “donation” directly to the pool contract, increasing
totalCashwithout increasingtotalSupply. This maneuver inflates the exchange rate to absurd levels, thereby boosting the collateral’s value. - Takes out massive loans in another asset, leveraging the artificially inflated collateral.
- Recovers the “donation” through subsequent redeems and liquidations, returning the market to its original empty state—but leaving the protocol with significant losses.
This pattern repeated in other Compound V2 forks following the Hundred Finance incident. While the vulnerability was inherent to the Compound V2 code, it did not manifest in the original Compound markets because no active market had a non-zero Collateral Factor (CF) combined with extremely low supply. Compound Finance itself confirmed (via analyses by Daniel Von Fange, Hexagate, B Protocol, and OpenZeppelin) that the bug exists in the current code version, but ideal conditions for exploitation do not appear in Compound’s own v2 markets, and the vulnerability is not present in v3.
The Midas Capital Case
In June 2023, Midas Capital—another Compound V2 fork—was exploited similarly on the BNB Chain, losing roughly US$600,000. This time, the attacker exploited a rounding issue in the exchange rate calculation. Just like the Hundred Finance exploit, the attacker:
- Exploited a market with zero or negligible liquidity.
- Manipulated the exchange rate through multiple redeems and strategic token donations, inflating the collateral’s value.
- Used flash loans to supply and then reacquire tokens, creating mint/redeem cycles that amplified the perceived value of the provided collateral.
- Ultimately obtained a loan far exceeding what should have been allowed and drained the protocol’s funds.
This attack also highlighted the necessity of more extensive testing—fuzzing, formal verification, comprehensive unit and integration tests—and diligent third-party audits. It reinforced that simply forking the code is not enough; one must understand the invariants, economic assumptions, and edge cases.
Mitigations and Recommendations
1. Zero Collateral Factor for New Markets:
Compound and independent analysts recommend that when launching a new Compound V2 market (or a fork), you start with a zero CF until a significant totalSupply of cTokens is reached. Only after a sufficient liquidity base is established should the CF be raised. This prevents the market from being vulnerable during its “bootstrapping” phase.
2. Continuous Monitoring and Dynamic CF Adjustment:
Projects must continuously monitor supply, borrow levels, and liquidity. If a market becomes “empty” or shows excessive liquidity concentration, the CF can be set to zero preventively, mitigating manipulation attempts.
3. Burning cTokens and Maintaining Market Health:
For existing markets, burning cTokens can help avoid scenarios where totalSupply is dangerously close to zero, making exchange rate manipulation more difficult.
4. Rigorous Testing and Audits:
Tools like Foundry can run fuzz tests and simulations under adversarial conditions. Formal verification frameworks (such as Certora or Echidna), independent audits (Halborn, Code4rena, among others), and thorough analyses should be employed before going live with a market.
Conclusion
Empty Markets Attacks underscore the complexity and risk in Compound V2 forks that fail to address subtle economic logic gaps. By manipulating the exchange rate in markets with near-zero supply, attackers can transform a seemingly harmless environment into an instant goldmine. This type of flaw reinforces the need for a holistic security approach: you can’t just skim the Compound README and hit deploy. Understanding economic invariants, monitoring market health, maintaining proper CF settings, performing deep tests, and adopting preventative measures are all critical steps.
In short, Empty Markets Attacks serve as a stark reminder that DeFi security isn’t just about “clean code” but understanding the entire ecosystem—from the market life cycle and economic parameters to operational processes and integrated testing and auditing frameworks. At HellHex, our mission is to help you not only master the EVM but also avoid these “black holes” of security that can be extremely costly.