Liquity (LUSD)

LUSD is an inspiration for what DeFi should look like. Trustless, immutable and censorship-resistant. Use Liquity with an understanding of its one weakness – its Chainlink oracle.

Chris Blec

On its website, Liquity promotes LUSD as “a decentralized stablecoin capable of resisting all kinds of censorship.”

This is mostly true (I’ll get into the mostly in a minute). I believe that LUSD is one of the most critical building blocks available to DeFi today due to its mostly-trustless nature.

Unlike MakerDAO’s DAI, the LUSD ecosystem is running on completely immutable logic. There is no governance forum or token because there is no governance. Due to this, much like Uniswap v1-3, LUSD’s code can never be modified from the state that it was deployed in, nor can it be halted or stopped.

This provides a great level of comfort to those of us that recognize the power that state actors, regulators, corporations, hackers and others can have over DeFi code that is governed by a speculative token. But it also provides a moderate level of concern, since if any bugs are discovered in the LUSD code, they cannot be fixed, the code must be abandoned and you just need to pray that you can get out in time.

When using LUSD, you can know without a shadow of a doubt that your collateral is beyond the reach of anyone aside from those who control your wallet (hopefully, that is just you). Bugs in the code could affect this assurance, however LUSD is becoming more battle-tested with each passing day and it’s totally fair to assume that it will get safer as its TVL grows.

LUSD is one of the most exceptional DeFi projects in existence when it comes to its level of complete immutability.

The “but”

So, about that mostly earlier. There is one caveat with Liquity that any adversarial thinker should be aware of. That is its usage of Chainlink as an oracle.

Liquity uses an ETH price feed from Chainlink to determine when to liquidate troves. If a collateral ratio falls under 110% (or during Recovery Mode, under 150%) then it can be liquidated. This collateral ratio is determined based on the price data that comes from Chainlink.

Unlike Aave, Liquity has implemented a “sanity check” using a competing oracle provider called Tellor. If Chainlink’s price doesn’t get updated or sends extremely bad data, Liquity will look to Tellor instead.

Liquity’s docs explain the Chainlink / Tellor situation

This is far better than what Aave does, which is only look at Chainlink and not question the data at all. However, it is still a risk. Chainlink’s price feeds are controlled by a 4-of-9 multisig and are capable of being manipulated. The potential is there for Chainlink to become corrupted and force Liquity to shift to Tellor for more accurate prices. If Tellor was to simultaneously become corrupted, Liquity would behave very unpredictably and funds would be at risk.

For the sake of comparison, there is more risk with LUSD than there is with Uniswap v1-3, as Uniswap does not have any need for external oracles. Both projects are immutable and cannot be changed, but this just means that LUSD will forever include this Chainlink weakness.

The odds of both Chainlink and Tellor going haywire simultaneously are low, but weirder things have happened in DeFi. It’s important to understand this risk if using Liquity. However, it certainly shouldn’t deter you from engaging with this otherwise trustless and immutable protocol.