Drift Settlement Plan

Drift Official Statement — 16 May 2022

On 11 May 2022 UTC, Drift Protocol was halted for trading on discovery of a smart contract bug that enabled users to withdraw more collateral than they were entitled to. This resulted in a shortfall in the collateral vault, which at the time of writing exceeds the current insurance fund. The bug was successfully contained by halting trading and all remaining user funds are currently secure in the on-chain program. The exchange will remain halted until the settlement and redemption plans below are executed.

Because of the shortfall caused by a smart contract bug, all positions will be settled based on the Settlement Mechanism, an on-chain mechanism detailed in this post.

The most important takeaway is that all traders impacted by this incident will have their settled collateral balances paid out in-full.

This payout process will occur over two steps: the first to fully distribute the entire insurance fund, and the second to redeem the remainder. Section 4: Redemption Plan details this process further.

This post is intended to detail how the settlement and redemption plans will be executed before bringing the exchange back online. Drift is working on getting the exchange back online as quickly as possible.

This post will cover:

  1. the circumstances that led to the protocol’s outage;
  2. an overview of the bug;
  3. the settlement methodology for the closure of user positions;
  4. the redemption plan for all affected users;
  5. Drift’s roadmap forward and exchange re-opening.

More granular details are provided at the appendix to the post regarding:

  • on-chain settlement steps; and
  • a technical document detailing the settlement and redemption mechanism.

1. Circumstances that led to the protocol’s outage

At around 11:40 UTC on 11 May 2022, LUNA markets started heavily destabilising, with prices dropping from $10 to $0.5 in approximately 7 hours. During the course of the extreme market instability, the Drift core developers noticed large withdrawals from the exchange and discovered a withdrawal PNL bug in the smart contracts.

At 19:37 UTC on 11 May 2022, the exchange was paused to investigate this bug further. Upon investigation, it was discovered that the bug on Drift’s open-sourced protocol-v1 enabled users to withdraw more collateral than they were entitled to from the collateral vault and insurance fund.

Following this discovery, withdrawals and trading were immediately suspended.

The entire remaining Insurance Fund and collateral vault–composed of all user funds across all markets–would have been drained if no action had been taken. Emergency action was necessary to safeguard the remaining funds.

In the days following the exchange outage, the core developers worked to develop a settlement and redemption plan. That process is now finalised and being reviewed before deployment.

2. Bug Overview

Based on the recent investigation, the account bug has existed undetected in the program since inception, despite the protocol being open-source with a substantial $500k+ bug bounty and a positive audit assessment by a leading smart contract security auditing firm (Zellic — report found here). The bug was amplified and revealed by the recent market volatility; specifically in relation to the LUNA-PERP market, where extreme volatility resulted in a 99% price drop over a matter of hours.

The Bug consisted of two issues:

  1. Realised Collateral Accounting: The Protocol had a collateral accounting issue that incorrectly allowed users to withdraw positive realised PNL without an equal amount of negative PNL being realised, in violation of the zero-sum nature of general AMMs. The AMM mechanism guarantees that every profitable trade is offset by an unprofitable trade (making the system zero-sum), it does not guarantee the order with which they close their positions. In this particular case, as the price of LUNA-PERP dropped precipitously, a large number of profitable shorters exited their position and withdrew their positive PNL before additional traders were able to realise their negative PNL on unprofitable positions, thus leading to unprecedented levered losses on the Protocol.
  2. Wrongful Withdrawal from Insurance Fund: The Protocol also incorrectly allowed users to directly withdraw from the collateral collected in each market’s Insurance Fund. The insurance fund is budgeted in a way to pay for funding payments as well as market operations. This led to unfair depletion of the insurance fund outside of the protocol’s record keeping and broke the incentive for users to continue trading on the dAMM.

These issues are orthogonal to the dAMM mechanics. With these issues fixed, the protocol will operate correctly and the vulnerabilities created by this Bug will be eliminated.

The levered loss that had occurred was $800k and the withdrawable collateral amount was at $10.1m ($5.18m shortfall when deducting the remaining Insurance Fund of $4.9m). The script for this calculation can be found here.*

3. Position Settlement Methodology

Per the methodology below, all open positions were settled at 19:37 UTC on Wednesday 11 May 2022 (the time of the second exchange pause).

The settlement methodology determines the total amount of collateral users can redeem based on their account balances and treatment of unrealised PNL on open positions. Each user’s unrealised PNL will be settled using a per-market factor that encapsulates each market’s claim on the remaining insurance fund.

User accounts will be settled by summing the following values:

1. Account Balance (Realised Collateral)

  • the accounted collateral on the user’s account which refers to the realised balance on a user’s account not in any unrealised positions.

2. Unrealised Funding

  • unrealised funding will be settled ‘as is’ at the time of the last exchange outage.

3. Settled Unrealised PnL

  • unrealised PnL is calculated using the user position’s Exit Price (see https://docs.drift.trade/glossary).
  • all unrealised positive PNL will be settled after scaling it by a per-market factor while unrealised negative PNL will be settled ‘as is’.
  • this scale factor is determined by the accounted funds in each market’s insurance fund divided by the total Unrealised PnL in the market. This represents each market’s relative claim over the remainder of the insurance fund. The scale factor is described below.
  • The formula for settling unrealised PNL is as follows:
  • Positions for all markets that have been settled and closed using the following multipliers, will be based on the per-market Insurance Fund on 11 May 2022 at 19:37 UTC as set out in the table below:

To calculate your settlement balance, the code for the position settlement has been pushed here and is fully open-sourced. The reproducible Python code for the calculation of the unrealised PNL can also be found here.

4. Settlement & Redemption Plan

With the staged redemption plan, all traders will be able to redeem the entirety of their settlement balance. This is paramount to the core developers and the community.

To facilitate the redemption process, a new user dashboard (app.drift.trade/redeem) will become available no later than 19:30 UTC 20th of May 2022.

The redemption UI will provide two figures:

(1) the amount immediately available for withdrawal; and

(2) the amount outstanding owed.

It will also feature two actions: (1) Roll Settlement Balance when trading resumes; or (2) Withdraw Funds.

During Stage 1 of the redemption plan, traders will be able to withdraw their prorated share of the total collateral remaining in the insurance fund. During Stage 2 of the redemption plan, traders will be able to withdraw the remainder of their settled balance. To support the community, Drift will use its balance sheet to replenish the Insurance Fund, enabling users to withdraw their full settled balance.

There is no time limit for the period of withdrawal. Users that have not elected to opt out of the redemption process and have not withdrawn will see their settled funds rolled over to their balance on the Protocol when the exchange re-opens and trading resumes.

Drift is committed to compensating all users’ entire outstanding balances as calculated by the settlement mechanism.

5. The Roadmap to bring Drift Online

Drift is committed to upgrading the smart contract and re-opening as soon as the bug is patched and additional risk management is added with sufficient review.

The following steps will take place to ensure the safe reopening of the Protocol:

  1. the core developers will address the issues that forced the exchange to be paused. For instance, adding a method for the Protocol to block users from withdrawing from the fee pool;
  2. the core developers will add additional risk management to the Protocol, such as formulaically increasing spreads and k-factor corresponding to price volatility;
  3. the code will be reviewed/audited by an independent party;
  4. a new Solana program will be deployed and the Protocol will resume with a fresh state; and
  5. user funds that are remaining on the redemption UI can be re-deposited into the new Solana program to be notified at a later date.

Concluding Remarks

We want to thank the community of Drifters that have provided us with continued patience and support. We’ve spoken to a number of affected users over the past three days and we’re continually surprised by the support and understanding that has been extended to us.

Notwithstanding this incident, we remain steadfast and strong in our mission to prove that decentralised futures exchanges are still the best way to trade.

We are aware that many questions still remain and we intend to discuss all aspects related to this outage with complete transparency. We regret the circumstances that took place and we will continue to make the best out of the current situation with confidence that we will rebuild as a platform, and as a community.

We are open to any and all constructive comments, questions, and suggestions during this period. If you have anything to say or ask, please join our Discord community in #General.

Appendix

On-Chain Settlement Steps

The following are steps that will be taken to settle positions and remaining exchange collateral:

  1. insurance vault tokens are sent to the collateral vault to simplify the claiming of collateral;
  2. all Drift team and investor accounts will be excluded from settlement process on-chain;
  3. the state of the settlement will be initialised on-chain where the settlement state tracks the size of all settled positions and how much collateral is claimable;
  4. users will then be able to settle their position and claim their pro-rata share of available collateral; and
  5. as additional funds are made available to the vault for users to claim funds from, users can withdraw their pro-rata share of new collateral until users’ balances are fully settled.

Technical Document — On-Chain Settlement and Redemption Mechanism (with code)

*There was a calculation error in the past post, with the prior shortfall amount being $10.4m. This has been corrected now, with detailed calculation to be found here.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Drift Protocol

Drift Protocol

A scalable, decentralised, capital-efficient derivatives exchange built on Solana.