# Withdrawal Arbitrage: The Risk of Attacks on the protocol The protocol design poses a novel challenge: A unique attack “Withdrawal Arbitrage” happens as the input to the slippage function translates into coverage ratio. How can it occur? ## **When Whale Attacks the protocol** Imagine there is a liquidity pool that contains assets and liabilities (deposits) of 100 initially. ![](https://miro.medium.com/max/1400/1*VZX6J1VvTHCe1cO4EEkIrQ.jpeg) Now there’s one whale who owns 20% of this pool. He is capable of generating some risk-free profit by simply making a series of transactions as below. **Step 1:** The whale buys 20% of the tokens in the pool by trading with another token. As a result, the coverage ratio falls to 0.8, since the amount of assets in the pool has fallen to 80. There are still 100 tokens available for the LPs. When undertaking a transaction in the current situation, the user will suffer a small amount of slippage. ![](https://miro.medium.com/max/1400/1*WB56wJS3NIVgLh5lGdadvg.jpeg) **Step 2:** The whale withdraws all the liquidity (i.e. 20 tokens). The coverage ratio now falls to 0.75. ![](https://miro.medium.com/max/1400/1*qL35ymyWF-J_6d1W1osAMg.jpeg) **Step 3:** He swaps back the 20% of tokens he used in Step 1, reversing the original swap. The coverage ratio now goes back to 1. The protocol incentivizes actions that pull the coverage ratio back or closer to the equilibrium. As this action brings the coverage ratio from 0.75 to a healthy position, the user is rewarded with a favorable exchange rate, in the form of positive slippage. ![](https://miro.medium.com/max/1400/1*cN6yPaF22e1aAZ3CpD_Wiw.jpeg) Note that the slippage fees charged in Step 1 involved a coverage ratio that changed from 1 to 0.8; while the slippage fees awarded in Step 3 involved a coverage ratio that changed from 0.75 to 1. Due to the convexity of the slippage curve, the reward in Step 3 will be greater than the penalty in Step 1, generating a risk free profit. Hence, the user has successfully attacked the system. He can infinitely repeat steps 1 to 3 until the liquidity pool is drained. This kind of attack is called “Withdrawal Arbitrage”. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hummus-exchange.gitbook.io/hummus-exchange/concepts/withdrawal-fee/withdrawal-arbitrage-the-risk-of-attacks-on-the-protocol.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.