Today we shift our attention to MuesliSwap, a decentralized exchange operating on Cardano. On Monday, 6 August, a community member by the handle “Bobcorn” reported on Twitter about a strange incident while using the MuesliSwap platform. He tried to sell a token and received less ada than anticipated. The user interface on MuesliSwap’s website displayed a higher token price than what he ultimately received.
Before we delve deeper, it’s essential to understand the difference between Automated Market Makers (AMMs) and order book DEXs and the concept of slippage and its implications for traders. An order book DEX allows users to list buy and sell orders, with trades executed based on price matches between buyers and sellers. In this system, users usually receive their expected outcomes, but the issue of low liquidity can emerge, leading to potential wide bid-ask spreads or unfulfilled orders.
On the other hand, AMMs have become the dominant type of DEX in recent years. Prominent examples include Uniswap on Ethereum and both Minswap and SundaeSwap on Cardano. AMMs function using liquidity pools. Typically, a liquidity pool consists of two paired assets aiming to maintain a balance. Take, for example, a pool composed of ADA and BADA. Users can begin trading these assets after the creation of this pool and the provision of initial ADA and BADA liquidity. The initial balance of these assets determines their relative price. If we provided 100 ADA and 50 BADA to our pool, the initial price ratio would be 2 ADA for 1 BADA (100 divided by 50).
However, it’s crucial to understand how trading affects the pool’s balance and pricing. If a trader wants to obtain 1 BADA from the pool and pays 2 ADA in exchange, the balance in the pool shifts to 102 ADA and 49 BADA. The next unit of BADA is now priced at 2.08 ADA. This 0.08 ADA increment, or 4% price rise, illustrates the concept of slippage: the price “slipped” upwards by 4%.
Issues arise when two users attempt to interact with the same liquidity pool simultaneously. Let’s call the two users Alice and Bob. They both seek 1 BADA for 2 ADA, as displayed on the DEX interface. Alice submits her transaction first due to Bob’s immensely long spending password. With the pool’s altered balance (102-49) post-Alice’s transaction, Bob’s anticipated 2 ADA per BADA rate becomes outdated, causing the transaction to fail.
To mitigate such failures, traders can specify a slippage tolerance. DEX interfaces allow users to set a percentage, indicating the maximum price variation they’d accept. For Bob, setting a 4% slippage would’ve made his trade successful. While higher slippage increases the likelihood of trade execution, it may also mean a less favorable rate for the buyer. However, it’s crucial to note that even with high slippage settings, users should receive the best available price, not necessarily the worst price the set slippage allows. Slippage typically impacts low liquidity pairs the most; greater liquidity means individual trades influence the overall balance less.
Here is where we come back to MuesliSwap. Users like Bobcorn, Cardano Paul, and others reported that the orders they set with a specific slippage % would always end up with the maximum slippage affecting the trade regardless of the actual available liquidity. This means an order placed with a 10% slippage would always use that total 10%, even if the trade’s real slippage was 3%. Consequently, users who set their slippage to 10% to ensure their trade’s execution would always receive the worst price.
It’s important to understand how AMM DEXs handle orders. The Cardano blockchain utilizes the eUTXO model. Unlike Ethereum and other account-based blockchains, which maintain a global state, Cardano processes all transactions concurrently. While the eUTXO model offers various advantages, it also poses unique challenges. For instance, DEXs typically require access to a global state to function correctly. Due to Cardano’s concurrency, most DEXs employ a permissioned batcher system that matches buy and sell orders, ordering them before they are submitted and executed on-chain.
Evidence suggests that MuesliSwap’s batchers retained the difference between the actual and set slippage as a tip, sometimes amounting to hundreds of ada. The MuesliSwap team faced significant scrutiny, and after some back and forth, they admitted that the users were right; batchers did retain the slippage difference. In their defense, this practice was not a secret, as evidenced by a MuesliSwap blog post from two years prior, where the team explained the profit margin incentive for batchers:
Once two matching orders are found, the matchmaker initiates the exchange via the smart contract, with the possibility of keeping the remaining profit margin as an incentive.
That explanation wasn’t enough to appease the community. MuesliSwap acknowledged that their website’s UI was misleading, causing users to activate a setting that permitted batchers to capitalize on incorrect configurations.
On 10 August 2023, MuesliSwap provided a detailed explanation of the situation:
The issue revolves around the matchmaker premium feature, initially mislabeled as advanced slippage (with a warning), which allowed matchmakers to prioritize specific orders by offering a premium.This feature has been integral to MuesliSwap, since it allows users to prioritize their orders during times of high trading volumes. However, this feature also caused confusion among many new users and led to profits for a wallet belonging to the matchmaker.
MuesliSwap messed up. The exact amount of ada lost by users remains a mystery, but the team is working on a thorough analysis. They have committed to refunding impacted users, although these users must claim the refund on a yet-to-be-developed website. Many had hoped for an automatic refund, and whether this will be done in the future has to be seen. It is vital to notice that the MuesliSwap team has not disclosed the identity of the individual who ran the batcher. The incident caused many to lose trust in the team, especially how communication was handled. It will be interesting to see if and how they will win back that trust.
