SlowMist: Sharing of a safe way to obtain LP prices
At present, the demand for using LP Token for mortgage lending is increasing, but there is currently no comprehensive method for securely obtaining the price of LP Token on the market. In the process of analyzing the method of obtaining LP Token price, the SlowMist security team paid attention to the Alpha Finance team’s method of safely obtaining LP price. After reading carefully, I will share relevant thoughts with everyone.
Analysis of LP Token price acquisition
At present, the common ways to obtain LP Token prices are as follows:
Among them, r0, r1 respectively represent the stock of two tokens in the Uniswap trading pair, and price0, price1 represent the prices of the corresponding tokens of r0 and r1, respectively. The above formula is simply to calculate the sum of the total value of the two tokens in the transaction pair, and then divide by the total number of LP Tokens to get the value of a single LP.
Generally speaking, price0 and price1 will both take the delayed price provided by Uniswap itself. But there is a risk of being attacked by flash loans. Although price0 and price1 cannot be manipulated, r0 and r1 can be manipulated. By manipulating the values of r0 and r1, the entire formula can be manipulated.
So is there a way to obtain a safe LP Token price so that the stock of tokens cannot be manipulated? The Alpha Finance team provided an idea:
According to Alpha Finance’s analysis, the whole process is divided into 3 steps:
1)The first step is to obtain the number of corresponding tokens in the trading pair through Uniswap’s getReserves interface, and calculate K
2)The second step is to obtain the corresponding price of each token in the trading pair, and then calculate the ratio of the token price P
3)The third step is to reverse the true token stock through the relationship between K and P.
After completing the above 3 steps, the final LP Token price acquisition formula will become as follows:
First of all, we know that Uniswap uses a constant product algorithm. To put it simply, x * y = K, that is, the value of K before and after the transaction will not change. Without discussing the handling fee, the K value theoretically will not change. Let us remember this premise first. Then, get the respective price of each token in the trading pair, for example, the price of USDT. Take the ETH-BTC trading pair as an example. Assuming that the price of ETH is 650 USDT and the price of BTC is 22,000 USDT, then the price ratio P of ETH/BTC is 0.03. After obtaining the price ratio P, directly use the K obtained in step 1 to calculate K/P and K*P to obtain a normal quantity of the corresponding trading pair. The following is the corresponding description of step 3, namely the step of obtaining the normal quantity.
Now let’s explain step 3 above：
First, the formula for constant product is:
In fact, x and y can be calculated separately according to K. Then according to step 2 of the previous section, we get the ratio P of the prices of x and y. Since Uniswap itself determines the corresponding price based on the ratio of tokens in the pool, the ratio P itself is the ratio of x/y prices. Then, since K = x * y, and P is the ratio calculated from the correct price, then we can actually use this real K and x/y to reverse the real x and y.
The calculation is as follows:
First, we get the following formula based on the ratio of P and r0,r1:
Then, according to P, the real r0, r1 can be reversed, as follows:
Then, after getting the correct ratio of x and y, the price of LP will be the following formula:
Then converted to the following:
Will it be attacked?
After completing the analysis of the formula, we know that as long as there is a correct price ratio P, we can reverse the real r0 and r1 according to this ratio, and finally get the formula:
So, can this formula be attacked? From the formula, we can know that the price0 and price1 of the formula are the correct prices obtained by trusted sources. This value cannot be manipulated, and then totalSupply. Although this value can be manipulated, it is in the process of controlling the LP price to attack. Changing totalSupply can only change the amount of your mortgage. This is temporarily useless. Then the only things that can be manipulated are the values of r0 and r1. How to change the value of r0, r1? Two ideas are provided below for analysis:
Idea 1: Direct token exchange
We know that in the token pool, no matter what algorithm is used for calculation, the token pool will inevitably change the number of tokens in the process of token exchange. Can this change ultimately manipulate the formula? Actually it is not possible. We know that in the constant product model, x * y = K is always true, which means that no matter how the exchange of tokens occurs during the transaction, the value of K is always the same. Situation), and the formula uses r0 and r1 to multiply, so it is actually not feasible to use token exchange to manipulate the formula.
Idea 2: Put the tokens directly into the token pool
This kind of thinking is crude. You can directly ignore the K value to manipulate the value of r0 and r1 multiplied, but after my calculations, this method seems to be feasible, but it is not. Although the purpose of manipulation is achieved, because the formula itself uses the root sign model when obtaining the final price, the final profit obtained is the profit after the root sign. For example, if you pay a cost of 10,000, you can only get a maximum of 100 in the end. This is obviously not cost-effective. So this kind of thinking is not feasible.
Scope of application
The scope of application of this algorithm is limited to the acquisition of the LP price of the token pool applicable to the AMM model, because the entire derivation process is based on the basic characteristics of K in the constant product formula. It is not feasible for the transaction pair algorithm to which the acquired LP itself belongs to not use the AMM model, because in this case, all the previous assumptions are no longer valid, so the calculation of the corresponding formula is naturally invalid.
LP mortgage has become an urgent need. At present, there is no better way (such as LP price feed provided by ChainLink, Uniswap provides delayed LP interface, etc.), Alpha Finance can be said to be a safer implementation method , Making the attack on quantity control infeasible or very costly. Of course, with the emergence of more and more scenarios, this algorithm is not necessarily omnipotent. The project party needs to combine its own scenarios and use the algorithm reasonably to achieve good results. In addition, it is particularly important to note that although the final form of the formula uses the multiplication of r0, r1 and price0, price1 with the root sign, when it is actually implemented, the specific values of r0 and r1 need to be derived according to K, otherwise There will be a certain error.
Reference link：Alpha Finance’s method of obtaining fair LP prices
SlowMist Technology is a company focused on blockchain ecosystem security. It has served many top or well-known projects around the world through “the security solution that integrated the threat discovery and threat defense while tailored to local conditions” and has nearly a thousand commercial customers. SlowMist’s security solutions include security audit, threat intelligence (BTI), bug bounty, defense deployment, security consultant, and other services. SlowMist is equipped with cryptocurrency anti-money laundering (AML), false top-up scanner, vulnerability scanner, and vulnerability monitoring (Vulpush), hacked project archives (SlowMist Hacked), smart contract firewall (FireWall.X), Safe Staking and other SAAS security products. It has been widely concerned and recognized by the industry.