$2 000 000 000 USD

JUNE 2021

GLOBAL

IRON FINANCE

DESCRIPTION OF EVENTS

Iron Finance is "[b]uilding a multi-chain partial-collateralized DeFi and algorithmic stablecoin ecosystem" and offers "a Partially-collateralized Stablecoin on the Binance Smart Chain".

 

"Iron Finance is behind two coins: $IRON and $TITAN. The former is a form of stablecoin, only instead of it being pegged to the dollar, 1 IRON gets you $0.75 of USDC stablecoin and $0.25 of $TITAN. The reverse is also true: burning $0.25 of TITAN and sending $0.75 of USDC gets you one IRON." "TITAN is a share token that backs the development of a stablecoin called IRON. Stablecoins are cryptocurrencies whose prices are "pegged" to that of a commodity or fiat currency, to keep them stable. Users can mint new IRON stablecoins by locking up TITAN tokens. And the more new stablecoins are minted, the lower the supply of TITAN, and the higher the price." "To incentivize USDC staking in its liquidity pools, the project had offered yields up to 10,000% APY in TITAN tokens."

 

"Technically, the domain address Iron.Finance was registered under NORSK HEDGE-FOND AS, a limited liability company based in Oslo, Norway." A "patent filing by Zachrisson anyone can find from the Norwegian Industrial Property Office reveals a second business entity Zachrisson is connected to, Harmonychain. Harmonychain is a publicly traded ($HMONY) nordic company based also in Oslo, Norway. It offers customers third party mining services that are environmentally-friendly. It also wants to build a mining supercomputer."

 

On June 10th, Iron Finance announced they were "happy to work with team Peckshield on the first complete audit of Iron Finance on Polygon." The audit was due to start on June 18th. "Some argue the interest from billionaire investor Mark Cuban [got many engaged] as people discovered his DeFi wallet and alleged that he is the sole provider of TITAN/Dai on the Polygon blockchain."

 

"In the beginning, users were receiving a return of an incredible 2%-5% per day." "The incident started when TITAN became overpriced, perhaps due to users purchasing the token in order to farm TITAN pairs at ~50,000% APY." "Total Value Locked on the protocol peaked at over $3 billion on June 15, while TITAN, the protocol’s collateral token, rose over 100x since its launch to $6."

 

"Decent APRs -> Demand for IRON -> TITAN supply burnt -> TITAN Price Pump -> Higher APRs -> Higher Demand for IRON -> and so on. It is a cycle that feeds itself. APRs went from a humble 50% to 960% at peak." "What happens when $TITAN prices are too high? The farms will simply give out too much $TITAN supply. At $TITAN's peak of $64, the farms were handing out $48m worth of TITAN a day!"

 

Redeeming reportedly "started as early as 13th June in seemingly modest and innocuous volumes which later grew to sizes in excess of 100K Iron, contributing to the dreaded depeg." "Some large TITAN sales were made and the price became volatile, making investors nervous, and leading them to also sell their tokens."

 

"On June 16, 2021 Iron Finance experienced a bank run when a weakness in the stabilization mechanism pushed the price of TITAN token to 0." "Not a hack but a stampede. The bull market finished late on Iron Finance, but the IRON stablecoin quickly melted when a mass panic gripped the nervous TITAN token holders." "[O]n June 16, a few large sales kicked off a stampede for the exits, sending TITAN from $62 to nearly zero in just 16 hours as the IRON stablecoin lost its peg." "Liquidity worth over 2M was being drained from the Iron/USDC pool in batches in the afternoon of the fateful day." "The token was recently changing hands for around $0.000000035, down from Wednesday’s high of $65. The fallout, which has been swift, has brought the project to its knees."

 

"The price of $TITAN fell to zero, prompting Iron Finance to call for all holders to withdraw liquidity from the pools after being hit by what it called a "bank run."" "Cuban was one of those liquidity providers on QuickSwap, a decentralized exchange." "This created a situation in which users could now redeem a token worth 90 cents, for 75 cents of stablecoin and 25 cents of TITAN. An incredible arbitrage opportunity which required minting new TITAN tokens each time." "The market was flooded with freshly minted TITAN, and a panic sale began, pushing down the TITAN price and therefore making the IRON stablecoin lose its peg even further."

 

"As long as IRON is not at peg, TITAN will continue to drop, and as long as TITAN continues to drop, IRON will not be at peg."

 

"If we had a twap at 1days, we will redeem at yesterday price, and we will have 24h to dump iron, redeem at yesterday price, and dump again … gap between price and twap will be more and more important, so arbitrage (redeeming) will be more and more profitable, as the iron will keep dumping …"

 

"[T]he contract was fed a command to change the _period parameter to update the price to 60s, exactly like what Wakko recommended. At this point you would give plausible deniability and only fault Ironstar and co for gross negligence. But two hours later another _period modification was pushed to the contract with a value of 600s. We’re back to the 10 min TWAP delay that enabled the TVL drain in the first place!" "Having a TWAP on top of a mint/redeem equation simply presents arbitragers more degrees of freedom from which they can employ bots to destabilize the price. Everyone (not just arbi bots) moved to crash the market yes, but having the Twap mounts a rigged irregularity into the system that would catalyze such apocalyptic scenarios further."

 

"Here is an example: TITAN dropped 25% from $64 to $48 within 1 minute. The 10 min TWAP oracle lags behind and tells the protocol that TITAN is still around $60."

 

"Currently, the team plans to conduct an “in-depth analysis of the protocol” in order to grasp what happened during this unusual event. The post mortem also contains a quote from an Iron Finance investor and the founder of Finder.com.au, Fred Schebesta."

 

“There was no rug pull or exploits,” said Schebesta. “What happened is just the worst thing that could possibly happen considering their tokenomics,” the Iron Finance blog post concludes. "As crypto markets are quite crazy, it is not uncommon for a stablecoin to lose its peg. However, due to this possibility, every stablecoin needs a mechanism of protection for such fluctuations. In IRON’s sense, their only mechanism was assuming that arbitrage users would buy cheap IRON from the market when the price dips and thus redeem it for USDC+TITAN and then sell TITAN for profit."

 

However, it was found that "[t]he code structure is similar to that of cross-function reentrancy attacks, which have been a staple in DeFi exploits. [O]nly the names of the operants differ and the actual functionality is exactly the same."

 

"[T]he MasterChef contracts all have an emergencyWithdraw [function] that display the class re-entrancy attack… basically allowing unlimited funds to be siphoned." "[A]nyone could have called emergencyWithdraw this way to withdraw funds from the pools — there is no ownership requirement to do this." "Since the user's balance is not set to 0 until the very end of the function, the second (and later) invocations will still succeed, and will withdraw the balance over and over again."

 

"[T]he best way to prevent this attack is to make sure you don't call an external function until you've done all the internal work you need to do." "The facts show that the code was written in such a way to allow anyone to siphon off cash from the protocol."

 

"It would be pretty unbecoming if the people didn’t band together against centralized entities in Decentralized Finance which caused this debacle. But the people did, and with the official telegram group being constantly barraged by links to [an] expose on Medium, Iron Finance was forced to respond two days ago with a compensation plan. Iron also stopped muting its telegram group, which it had repeatedly done in the past, even when its tokens were crashing. I dare say it was because they realized they couldn’t control what their stakeholders wanted to say in the unofficial group."

 

"The crash has famously affected Mark Cuban who called for DeFi regulation."

 

"Even when the team tweeted about the disaster and told their users to withdraw liquidity from all pools, they continued to take a % fee from those trying to redeem what was left of their money. Savage."

 

"We would like to begin by again expressing our sincerest apology to every user who lost funds from the IRON V1 collapse. The protocol was growing really too fast and by the time we realized this was not a regular correction in the price of TITAN, it was already too late and by that time we couldn’t do anything to stop the protocol from collapsing completely. In a separate article, we plan to go in-depth on how V1 collapsed and what are the lessons learned. This article will be focused on feedback and plans for an improved V2."

 

"We will continue to develop our major products including IronSwap (Stableswap DEX), IronLend, and Iron stablecoin We are redesigning and rewriting our core Iron Stablecoin product from scratch. We also want community and expert feedback on the new draft design, once it is complete. To prepare the ecosystem for the arrival of IRON V2, we will launch IronSwap and IronLend first. Our expected launch timeline for IronSwap is 2nd week of July 2021, followed by IronLend (alpha version) second half of July 2021. The whole UI/UX of the Iron Finance ecosystem will undergo an overhaul to give all users a new and refreshing experience. Our private vaults feature will be upgraded and moved to a separate website, and will operate as a contribution from our team to the community. We will form the IronDAO to increase governance engagement and encourage community decision-making."

 

"We will use 29% of the total supply of TITANv2 to compensate users who lost their capital." "This compensation will be linearly vested over 3 years for everyone and later can be changed by community voting using the new IronDAO."

 

"We have learned a great deal from this incident and while nothing could be fixed in the current system, we will continue our journey with more products in the future."

Iron Finance was a relatively new stablecoin protocol which created a coin backed 75% by USDC and 25% by a coin called TITAN. The price of TITAN rose quickly, creating a feedback loop to incentivize massive investment. Once investors started to pull out, the loop reversed, creating a downward spiral as more TITAN were printed to achieve a valuation of $1. This was exacerbated by a delayed oracle, which made it profitable to exit quickly.

 

As it turns out, even if there hadn't been a bank run, the emergencyWithdraw function was set up such that it was vulnerable to a reentrancy attack, allowing the permission-less draining of the full pool.

 

The IRON token was backed by USDC, which could still be redeemed. Only the value of TITAN was lost, based on the price drop. Iron Finance plans to launch a new token, which will be used to compensate the original investors for their losses.

HOW COULD THIS HAVE BEEN PREVENTED?

The smart contract had not been subject to even an audit, and TITAN was subject to significant price fluctuations due to the new TITAN which were printed. In general, all blockchain assets have the ability to go to zero if a project fails, and special care should be paid to assets which have low liquidity, limited history, and complex minting algorithms.

 

Reentrancy attacks can be avoided by ensuring that all state changes (such as balance changes) are done before calling any external functions within the smart contract.

 

Check Our Framework For Safe Secure Exchange Platforms

Mark Cuban 'Hit' by Apparent DeFi Rug Pull - Decrypt (Jun 25)
Mark Cuban Calls for DeFi Regulation After Crypto Investment Goes to Zero - Decrypt (Jun 25)
@FinGeekCo Twitter (Jun 25)
Iron Finance Token Slides From $64 to Near Zero Following ‘Large-Scale Crypto Bank Run’ – News Bitcoin News – Callingemout (Jul 2)
Iron Finance Denies Rug Pull After Token Collapse | Crypto Briefing (Jul 23)
MARK CUBAN GOT RUG PULLED BY DEFI ALTCOIN IRON FINANCE - YouTube (Jul 2)
Rekt - Iron Finance - REKT (Jul 29)
Not Just a Bank Run: New Evidence Shows Iron Finance Crashed Due to Code Exploit - The Defiant - DeFi News (Jul 23)
No Title (Jul 29)
Iron Finance Post Mortem 17 June 2021 (Jul 29)
Analysis of the TITAN fall - Going the distance (Jul 29)
'There are investments and there are flyers': Mark Cuban on Titan's collapse (Jul 29)
Iron Finance Rebuilding (Aug 9)
Polygon Transaction Hash (Txhash) Details | PolygonScan  (Aug 9)
Telegram: Join Group Chat (Aug 9)
Known Attacks - Ethereum Smart Contract Best Practices (Aug 9)
Iron Finance Debacle Was It Really A Bank Run No (Aug 9)
Tenderly Dashboard (Aug 9)
IRON – Smart Iron Contracts (Aug 9)
Audit - Iron Finance (Aug 9)
Iron The First Partial Collateralized Stablecoin On Binance Smart Chain (May 25)
Beefy Finance New Polygon Network Vault For Iron Finance - Smart Liquidity Network (Aug 9)
IRON Finance - A Multi-Chain Partial-Collateralized Stablecoin Ecosystem (Aug 9)
IRON Titanium Token price today, TITAN live marketcap, chart, and info | CoinMarketCap (Aug 9)
Analysis of the TITAN Token Collapse: Iron.Finance Rugpull or DeFi Bank Run? - CipherTrace (Aug 9)
IRON Titanium Token (TITAN) Token Tracker | PolygonScan  (Aug 9)
IRON Titanium Token Price Prediction | Money Morning (Aug 9)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10)
@fingeekco Twitter (Aug 10)
Iron Finance's Titan Token Falls to Near Zero in DeFi Panic Selling - CoinDesk (Aug 10)
Iron Finance’s Titan Token Crashes 100%, Takes Mark Cuban Down | The Hash - CoinDesk TV - YouTube (Aug 10)
What Happened to Algorithmic Stablecoins? - InvestoTrend (Jun 19)
nebra1 comments on Mark Cuban Invests in Scam Coin (Iron Titan Token) (Oct 28)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.