Saddle Finance Arbitrage Exploit

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Saddle Finance

Saddle Finance is an automated market maker for pegged crypto-assets. (Think stablecoins but for other assets like BTC.) Their initial launch saw users lose over $275k due to arbitrage exploits.

While the Saddle Finance team did mention looking into payouts from their treasury multi-sig, they also stated that they thought their smart contract performed as expected. It's unclear whether any affected users were made right. Their Medium page does not appear to mention the issue after the initial post.

This is a global/international case not involving a specific country.

About Saddle Finance

"Saddle is an automated market maker optimized for trading between pegged value crypto assets." "Saddle Finance was launched on Jan. 20, with the aim of alleviating the problematic spread between stablecoins and wrapped or tokenized crypto assets." "Saddle is the easiest way to trade and earn with pegged value crypto assets, beginning with tokenized bitcoin."

"Saddle is built by DeFi natives with prior years of developer experience at Web2 companies like Uber, Amazon, and Square." "According to the founder of the Saddle Finance platform Sunil Shrivastava, the main reason for creating the Saddle platform is to reduce the slippage chances of tradable assets by providing users the unequal opportunities to choose from four tokenized Bitcoin liquidity pools, including sBTC, tBTC, renBTC, and wBTC."

"Pegged value crypto assets are tokens that have their value pegged to an underlying asset by some means. For example, the value of a stablecoin or tokenized bitcoin is supposed to be $1 or 1 BTC, respectively."

"Different subtypes of pegged value crypto assets (i.e. USDT and USDC, or wBTC and renBTC) are better suited for specific on-chain actions, or may be supported only by specific applications. Trading in between those assets, therefore, should be as simple as exchanging 1–1. In other words, there should exist little to no arbitrage opportunity when trading between one stablecoin and another; users should be able to retrieve 1 USDT for 1 USDC — or as close to that as feasible."

"The issue with the pegged value asset market today is that the desired 1–1 trading isn’t easily accessible. Trading among and in between these types of assets can be expensive and inefficient, resulting in lost capital and therefore lost market leverage." "Saddle solves the pegged value crypto asset trading problem by offering an AMM specifically tailored to allow users to trade in between these assets with minimal slippage. Saddle achieves this through the StableSwap algorithm, enabling an autonomous market maker that allows for the transfer of pegged value assets with minimal slippage."

"Bitcoin is the largest cryptocurrency by market capitalization, and the amount of tokenized BTC on Ethereum has been exploding — the supply has increased ~135X in 2020. Despite this growth, tokenized BTC is often not a priority when it comes to features and support. We believe bitcoin deserves to be treated as a first-class citizen in DeFi."

"What’s different about Saddle is our commitment to open-source software and collaboration. The promise of DeFi, and of financial lego blocks, can only be fulfilled with a willingness to share and help one another. Our ethos is rooted in this desire to support the ecosystem."

"In terms of audits, Saddle Finance has undergone three back-to-back smart contract audits with Certik, Quantstamp, and Open Zeppelin." "The security of user funds is our top priority. Saddle is built on our new Solidity implementation of the StableSwap algorithm. Deploying new code that deals with money requires extra care and scrutiny, which is why we conducted three back-to-back smart contract audits with Certik, Quantstamp, and Open Zeppelin."

"It is also adopting the guarded launch mechanism." "Saddle is launching with Proof of Governance to protect our users with certain limits and discourage sybil attacks. Initially, there will be a pool TVL cap of 150 BTC and a per-address deposit limit of 1 BTC. These limits will be raised every 1–2 weeks." "For LPs to qualify for PoG, an address must have demonstrated active network participation."

"Within a few hours of going live [on January 20th], however, whales had taken advantage of the new protocol by arbitraging for huge profits." "Many investors reportedly lost a large chunk of their investments."

"During their launch in January this year, at least three major arbs took over 7.9 BTC ($275,735) from the early liquidity providers within 6 minutes, despite their claim to “have solved the problem of slippage”"

"One early exploiter swapped 0.34 sBTC, a Bitcoin-pegged token on Synthetix, for 4.36 Wrapped Bitcoin (wBTC). The arbitrage netted the whale a huge profit of around $150,000." "The trade offered an almost 13x return on investment."

"Two other similar transactions were registered on the platform, as noted by the analyst Igor Igamberdiev. One transaction swapped 0.09 tBTC for 3.2 WBTC, an even higher return of 35x."

"In response to some of those early transactions with high slippage, we’ve updated the front end to make high slippage warnings even more explicit. Since those early transactions, the pool composition has corrected and we are witnessing swaps being made at a much closer rate, as intended." "From our initial investigation the smart contracts are functioning as expected, but individuals may not have yielded to warnings of high slippage when using the deposit form and subsequently reviewing their deposits."

"Although this was only arbitrage, the users still lost out, as Saddle Finance was unable to protect them from the arbitrageurs, who were simply buying and selling, within the limitations of the code."

"[T]he guarded launch mechanism limit[s] deposits and maximum swap amounts to ensure smooth functioning. While the protocol has worked as intended in this scenario, it may be meager consolation for those losing funds on these arbitrage trades."

"Our team is still looking into how we can learn from these early transactions and we are currently in discussions with members of the Saddle community multisig who oversee a discretionary community treasury." "Moving forward, our hope is to strike a balance between providing adequate user protections while empowering anyone to make choices according to their risk appetite."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Saddle Finance Arbitrage Exploit
Date	Event	Description
January 19th, 2021 12:00:00 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

There doesn't have to be a hack for users to lose funds unfairly. Simply having very low liquidity in a platform can allow for a significant arbitrage exploit on a new platform. The industry can benefit from a neutral third party organization to evaluate the situation with consideration for both affected users and the platforms involved, and from having funds set aside independent of the specific platform.