Skip to main content
Cooldown times

We like to watch trading in Float really closely, to make sure we understand how users interact with the protocol, and how we can improve the protocol using these insights. A few months ago we noticed some accounts that were interacting heavily with our AVAX and JOE markets on Avalanche. We believed that the activity shown warranted further scrutiny.

Our initial investigation showed that the accounts made losses on multiple trades, and didn’t appear to be anything other than the activity of experienced traders. Over time, as we monitored these addresses and captured more data, it became apparent that the amount of successful trades they made warranted deeper technical analysis.

In February this year we launched a serious internal investigation into the activity. We found no evidence that the trading activity was the result of any security issues that could put user funds at risk. To ensure our users were safe, we brought in external auditing firm Byterocket, who assigned three auditors to their external investigation. Byterocket affirmed that there were no security risks involved.

The investigations helped us get insight into the tactics being used by these addresses. We believe they built a program that analyzes the Chainlink oracle values before, after and during Float system updates, and then used a probabilistic trading strategy to make trades in Float with a success rate slightly higher than 50%. To draw an analogy, it seemed as though they were “counting cards” – acting fairly within the rules of the system and gaining a very slight probabilistic advantage.

We promptly prevented this trading strat by deploying a mandatory cooldown period greater than the duration of 95% of the trades made by the wallets in question. We shipped it in early March, and shortly afterwards the wallets involved ceased to interact with Float.

Because of this activity, users who had positions in our Avalanche deployment in the AVAX and JOE markets from February 2022 to 3 March 2022 may have found that the performance of their portfolios was different from what could have been expected based on the fluctuations in exposure due to this activity.

Always remember, DeFi is inherently risky. We again remind all users to look at this non-exhaustive list of the risks involved with using the protocol during the alpha.

You can read the full report from Byterocket here.