Explained: The Fei Protocol Bug (April 2021)

On April 6, 2021, the team behind the Fei protocol announced that it had a vulnerability that caused purchase of Fei tokens from its incentivized pool to be blocked.  This fact, combined with how the Fei protocol works, resulted in the pool becoming unusable for a time with high value locked inside.

What is Protocol Controlled Value?

The Fei protocol is designed to be an algorithmically-controlled stablecoin.  What this means is that the protocol’s FEI token attempts to match the value of the US dollar as closely as possible.  

It accomplishes this by attempting to match the value of the USDC stablecoin via protocol controlled value.

What protocol controlled value does is impose certain rewards and penalties on trades with the FEI-ETH Uniswap pool.  This can be broken up into three types of incentives:

1. For sales to the pool when FEI’s value is $.9-$1.0, the pool will burn some of the tokens associated with the sale, which impacts its effective price.  The number of tokens burned is proportional to the square of the difference between the value of the FEI token and the US dollar.  The cutoff is at $.9 because the ten cent difference creates a burn rate of 100%.

2. For sales to the pool when the value of FEI is less than $.9, the sell fails.

3. For purchases from the pool when the value of the FEI token is less than $1, the purchaser is offered additional FEI as a rebate.

These incentives help to push the value of FEI as close to $1 as possible in every buy and sell.  

However, they are not a perfect measure, and the system can be fragile.

Inside The Fei Bug

As mentioned above, the FEI researchers shut down the rebate program in their protocol due to a discovered vulnerability.  This means that it is effectively impossible to purchase FEI from the FEI-ETH Uniswap pool.

At the same time, the value of FEI fell below $.9 where transactions start failing due to the inability to burn FEI tokens to rebalance the value of the token.  As a result, it is effectively impossible to buy or sell FEI tokens using the Uniswap pool.

However, this is not a permanent problem.  The Fei team plans to reopen incentivized purchases after the potential minting vulnerability is resolved.  Additionally, it is still possible to buy and sell FEI tokens on the MXC centralized exchange at a value of $.70 or on a FEI-DAI Uniswap pool at $.76.

The Value of Bug Bounties and Smart Contract Audits

The vulnerability in the Fei protocol was discovered and reported via the project’s bug bounty program.  This gave the team the opportunity to take action to block potential exploitation and work to fix the issue before the protocol could be attacked.

This incident demonstrates the value of a bug bounty program.  While FEI token holders are inconvenienced by their current inability to trade with the incentivized pool and the depressed value of their tokens, this is a temporary problem and much worse than the devaluing of the token through a minting attack.

However, this incident also underscores the value of comprehensive security audits before launching a blockchain-based platform.  If the vulnerability had been discovered and corrected pre-launch, there would have been no need to take down part of the system for repairs.

Get in touch with Halborn today to learn more about our security audits for blockchain companies: halborn@protonmail.com.