Liquidity Management Attacks on Lending Markets

Authors Alireza Arjmand , Majid Khabbazian

Thumbnail PDF


  • Filesize: 0.66 MB
  • 21 pages

Document Identifiers

Author Details

Alireza Arjmand
  • University of Alberta, Edmonton, Canada
Majid Khabbazian
  • University of Alberta, Edmonton, Canada

Cite AsGet BibTex

Alireza Arjmand and Majid Khabbazian. Liquidity Management Attacks on Lending Markets. In 5th Conference on Advances in Financial Technologies (AFT 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 282, pp. 27:1-27:21, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)


Decentralized Finance (DeFi) continues to open up promising opportunities for a broad spectrum of users, with lending pools emerging as a cornerstone of its applications. While prominent platforms like Compound and Aave maintain a large share of the funds in lending pools, numerous other smaller pools also exist. Many of these smaller entities draw heavily from the design principles of their larger counterparts due to the complex nature of lending pool design. This paper asserts that the design approaches that serve larger pools effectively may not necessarily be the most beneficial for smaller lending pools. We identify and elaborate on two liquidity management attacks, which can allow well-funded attackers to exploit specific circumstances within lending pools for personal gain. Although large lending pools, due to their vast and diverse liquidity and high user engagement, are generally less vulnerable to these attacks, smaller lending protocols may need to employ specialized defensive strategies, particularly during periods of low liquidity. We also show that beyond the six leading lending protocols, there exists a market value exceeding $1.75 billion. This considerable sum is dispersed among over 200 liquidity pools, posing a potentially attractive target for bad actors. Furthermore, we evaluate existing designs of lending pools and suggest a novel architecture that distinctly separates the liquidity and logic layers. This unique setup gives smaller pools the adaptability they need to link with larger, well-established pools. Despite encountering certain constraints, these emerging pools can leverage the considerable liquidity from larger pools until they generate sufficient funds to form their own standalone liquidity pools. This design cultivates a setting where multiple lending pools can integrate their liquidity components, thus encouraging a more diverse and robust liquidity environment.

Subject Classification

ACM Subject Classification
  • Security and privacy → Distributed systems security
  • Lending Pools
  • DeFi
  • Interest Rate
  • Liquidity Management Attack


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Aave protocol website, 2023. URL:
  2. Aave protocol whitepaper v1.0, 2020. URL:
  3. Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A survey of attacks on ethereum smart contracts. Cryptology ePrint Archive, Paper 2016/1007, 2016. URL:
  4. Massimo Bartoletti, James Hsin yu Chiang, and Alberto Lluch-Lafuente. Sok: Lending pools in decentralized finance, 2020. URL:
  5. Bnb bridge - rekt, 2022. URL:
  6. Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll, and Edward W. Felten. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In 2015 IEEE Symposium on Security and Privacy, pages 104-121, 2015. URL:
  7. Compound protocol website, 2023. URL:
  8. Simon Cousaert, Jiahua Xu, and Toshiko Matsui. SoK: Yield aggregators in DeFi. In 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). IEEE, May 2022. URL:
  9. Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov, Lorenz Breidenbach, and Ari Juels. Flash boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges, 2019. URL:
  10. Defillama, 2023. URL:
  11. Shayan Eskandari, Seyedehmahsa Moosavi, and Jeremy Clark. Sok: Transparent dishonesty: front-running attacks on blockchain, 2019. URL:
  12. Flashbots documentation, 2023. URL:
  13. Mathis Gontier Delaunay, Quentin Garchery, Paul Frambot, Merlin Égalité, Julien Thomas, and Katia Babbar. Morpho V1 Yellow Paper. working paper or preprint, May 2023. URL:
  14. Lewis Gudgeon, Daniel Perez, Dominik Harz, Benjamin Livshits, and Arthur Gervais. The decentralized financial crisis, 2020. URL:
  15. Lewis Gudgeon, Sam M. Werner, Daniel Perez, and William J. Knottenbelt. Defi protocols for loanable funds: Interest rates, liquidity and market efficiency, 2020. URL:
  16. Matthias Hafner, Romain de Luze, Nicolas Greber, Juan Beccuti, Benedetto Biondi, Gidon Katten, Michelangelo Riccobene, and Alberto Arrigoni. Defi lending platform liquidity risk: The example of folks finance: Published in the journal of the british blockchain association, April 2023. URL:
  17. Justlend dao money market protocol v1.0, December 2020. URL:
  18. Robert Leshner and Geoffrey Hayes, February 2019. URL:
  19. Amani Moin, Kevin Sekniqi, and Emin Gun Sirer. Sok: A classification framework for stablecoin designs. In Joseph Bonneau and Nadia Heninger, editors, Financial Cryptography and Data Security, pages 174-197, Cham, 2020. Springer International Publishing. Google Scholar
  20. Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, May 2009. URL:
  21. OpenZeppelin. Openzeppelin/openzeppelin-contracts: Openzeppelin contracts is a library for secure smart contract development. URL:
  22. Poly network - rekt, 2021. URL:
  23. Kaihua Qin, Liyi Zhou, Yaroslav Afonin, Ludovico Lazzaretti, and Arthur Gervais. Cefi vs. defi - comparing centralized to decentralized finance, 2021. URL:
  24. Kaihua Qin, Liyi Zhou, Pablo Gamito, Philipp Jovanovic, and Arthur Gervais. An empirical study of DeFi liquidations. In Proceedings of the 21st ACM Internet Measurement Conference. ACM, November 2021. URL:
  25. Radiant documentation, 2023. URL:
  26. Huobi Research. Global crypto industry overview and trends[2022–2023 annual report](first part), December 2022. URL:
  27. Xiaotong Sun, Charalampos Stasinakis, and Georgios Sermpinis. Liquidity risks in lending protocols: Evidence from aave protocol, 2023. URL:
  28. Venus protocol documentation, 2023. URL:
  29. Anton Wahrstätter, Jens Ernstberger, Aviv Yaish, Liyi Zhou, Kaihua Qin, Taro Tsuchiya, Sebastian Steinhorst, Davor Svetinovic, Nicolas Christin, Mikolaj Barczentewicz, and Arthur Gervais. Blockchain censorship, 2023. URL:
  30. Anton Wahrstätter, Liyi Zhou, Kaihua Qin, Davor Svetinovic, and Arthur Gervais. Time to bribe: Measuring block construction market, 2023. URL:
  31. Sam M. Werner, Daniel Perez, Lewis Gudgeon, Ariah Klages-Mundt, Dominik Harz, and William J. Knottenbelt. Sok: Decentralized finance (defi), 2022. URL:
  32. Gavin Wood. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper, 151:1-32, 2014. Google Scholar
  33. Jiahua Xu, Krzysztof Paruch, Simon Cousaert, and Yebo Feng. SoK: Decentralized exchanges (DEX) with automated market maker (AMM) protocols. ACM Computing Surveys, 55(11):1-50, February 2023. URL:
  34. Liyi Zhou, Kaihua Qin, Christof Ferreira Torres, Duc V Le, and Arthur Gervais. High-frequency trading on decentralized on-chain exchanges, 2020. URL:
  35. Liyi Zhou, Xihan Xiong, Jens Ernstberger, Stefanos Chaliasos, Zhipeng Wang, Ye Wang, Kaihua Qin, Roger Wattenhofer, Dawn Song, and Arthur Gervais. Sok: Decentralized finance (defi) attacks, 2023. URL:
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail