Option A: Terra/Luna Collapse (May 2022)
| Date | Event | Key Actors & Incentives | Game-Theoretic Dynamic |
|---|---|---|---|
| May 7 | ~$2B UST withdrawn from Anchor Protocol, reducing yield incentives | Large holders: rational profit-taking as Anchor yield drops from 19.5% toward sustainability | First-mover advantage: early exiters preserve capital; late exiters face losses |
| May 8 | UST depegs to $0.98; LFG deploys $1.5B BTC reserves | LFG: defending peg to maintain credibility. Market: testing whether reserves are sufficient | Credibility game: LFG signals commitment, but market observes finite reserves |
| May 9 | UST falls to $0.35; LUNA hyperinflation begins | Arbitrageurs: mint LUNA by redeeming UST at $1 face value, then sell LUNA. Each rational arbitrageur accelerates LUNA inflation | Death spiral / positive feedback loop: the mint-burn mechanism that should restore the peg instead accelerates collapse |
| May 10 | Do Kwon proposes emergency measures; LUNA drops 96% | Do Kwon: attempting to restore confidence. Market: already past the point of no return | Cheap talk: proposals without binding commitment are not credible |
| May 12 | Terra blockchain halted | Validators: halt to prevent further damage | Coordination: validators cooperate to stop the bleeding |
| May 13 | Full collapse; ~$40B destroyed | All participants: zero-sum outcome where late exiters bear losses | Outcome is Nash equilibrium: no individual actor can profitably deviate |
Point of no return: May 9, when the mint-burn arbitrage mechanism began hyperinflating LUNA supply. Once LUNA's market cap fell below UST's outstanding supply, the peg mechanism became mathematically impossible to restore.
Primary Mechanism Design Flaw
The UST/LUNA mint-burn mechanism was reflexive: UST could be redeemed for $1 worth of newly minted LUNA, and LUNA could be burned to mint UST. This created a circular dependency where UST's stability depended on LUNA's market cap, and LUNA's value derived from demand for UST. When confidence broke, the mechanism became a positive feedback loop accelerating collapse rather than restoring equilibrium.
Incentive Misalignment
Individual rationality led to collective harm through two channels:
- Arbitrageurs: Each arbitrageur rationally redeemed UST for $1 of LUNA and immediately sold LUNA. This was individually profitable but collectively diluted LUNA supply to worthlessness, destroying the collateral backing UST.
- Anchor depositors: The 19.5% APY attracted capital that was not organically generated -- it was subsidized by reserves. When subsidies depleted, rational withdrawal triggered the initial depeg.
Nash Equilibrium Analysis
The collapse was a Nash equilibrium: once UST depegged, no individual actor had incentive to hold UST or LUNA. Selling was a dominant strategy for every holder. Even if all holders coordinated to hold, any individual defector profits by selling first -- a classic prisoner's dilemma at scale.
Trust Assumption Violation
The mechanism assumed that LUNA would always maintain sufficient market capitalization to absorb UST redemptions. This assumption failed under stress because LUNA's value was itself derived from UST demand -- a circular dependency with no external anchor.
Require UST to maintain a minimum collateral ratio (e.g., 150%) in external assets (ETH, BTC, US Treasuries) -- not the protocol's own token. This breaks the reflexive dependency by anchoring value to assets outside the system.
- Incentive change: Removes the death spiral because collateral value is independent of UST demand
- L07 concept: This is a commitment device -- the protocol credibly commits to solvency by locking real collateral
- Trade-offs: Reduces capital efficiency (can't mint unbacked stablecoins), requires custodial infrastructure for off-chain assets, and may introduce oracle risk for collateral pricing
Implement maximum daily redemption/minting limits that throttle the mint-burn mechanism during stress events. For example: limit total daily LUNA minting from UST redemptions to 2% of LUNA market cap.
- Incentive change: Slows the death spiral, giving the system time to rebalance. Makes "rushing to the exit" less advantageous because exits are rate-limited
- L07 concept: Changes the game from simultaneous-move (bank run) to sequential, where patient actors have better information and less panic incentive
- Trade-offs: Reduces liquidity and capital efficiency. Introduces unfairness (who gets to redeem first?). Queue-based systems create MEV and front-running incentives
- Saying "Do Kwon should have been honest" -- this is about character, not mechanism design
- Proposing "more reserves" without specifying what kind (LUNA reserves don't help; BTC/ETH reserves do)
- Failing to identify the reflexive / circular dependency as the core flaw
- Confusing Terra/Luna with FTX (different failure modes)
Option B: FTX Collapse (November 2022)
| Date | Event | Key Actors & Incentives | Game-Theoretic Dynamic |
|---|---|---|---|
| Nov 2 | CoinDesk reveals Alameda balance sheet: heavy FTT concentration, thin liquid assets | CoinDesk: journalism. Market: new information triggers revaluation of FTX solvency | Information asymmetry revealed: insiders knew, outsiders didn't |
| Nov 6 | CZ (Binance) announces FTT liquidation (~$580M) | CZ: strategic competitor move and/or genuine risk management. SBF: attempted reassurance | Signaling game: CZ's public announcement signals distrust, amplifying panic |
| Nov 7 | FTX halts withdrawals; bank run underway | Users: rational to withdraw immediately. FTX: cannot honor withdrawals because funds are misappropriated | Bank run equilibrium: once withdrawals halt, remaining depositors face total loss -- rush to exit is dominant strategy |
| Nov 8 | Binance LOI to acquire, then withdraws | Binance: due diligence reveals massive hole. SBF: desperate for bailout | Screening game: Binance's withdrawal reveals the true depth of insolvency |
| Nov 11 | Chapter 11 bankruptcy filed | FTX leadership: legal obligation. Creditors: begin recovery process | End state: formal admission of insolvency |
| Nov 12 | ~$477M suspicious outflows; SBF resigns | Unknown actors: exploiting chaos. SBF: forced out by new CEO (John Ray III) | Coordination failure in custody: no proper key management during crisis |
Point of no return: November 7, when FTX halted withdrawals. This confirmed that customer funds were not available, converting fear into certainty of insolvency. Once a bank run reaches withdrawal halts, recovery is essentially impossible.
Primary Mechanism Design Flaw
FTX operated as a centralized custodian with full discretion over customer deposits. There was no on-chain transparency, no proof-of-reserves mechanism, and no technical constraint preventing the misuse of funds. This created an extreme principal-agent problem: customers (principals) trusted FTX (agent) to custody funds, but FTX had both the ability and incentive to misappropriate them.
Incentive Misalignment
- Moral hazard: SBF and Alameda could take excessive risks with customer funds because downside risk was borne by depositors, not management. The absence of monitoring created a textbook moral hazard.
- FTT token circularity: FTX used its own FTT token as collateral for Alameda loans -- a reflexive arrangement where the collateral's value depended on the entity that issued it. When confidence broke, the collateral became worthless.
- Bank run dynamics: Once CoinDesk revealed the balance sheet, each depositor's dominant strategy was to withdraw immediately. The collective rush made insolvency certain even if the initial shortfall was recoverable.
Nash Equilibrium Analysis
Post-revelation, the bank run was a Nash equilibrium: each depositor does best by withdrawing regardless of what others do (withdrawing is a dominant strategy). Even depositors who "trusted FTX" had no rational reason to leave funds on the exchange once information asymmetry was resolved.
Trust Assumption Violation
Users assumed FTX was solvent and holding deposits 1:1. The mechanism (centralized exchange with no proof-of-reserves) provided no way to verify this assumption. The violation was not a mechanism design failure per se, but rather the absence of any mechanism -- trust was based on reputation alone, with no cryptographic or economic enforcement.
Require exchanges to publish regular cryptographic proofs-of-reserves using Merkle tree attestations. Each user can verify their account balance is included in the published total, and independent auditors verify that on-chain reserves match or exceed liabilities.
- Incentive change: Eliminates information asymmetry. Users can verify solvency without trusting management. Detection of misuse becomes near-immediate rather than delayed
- L07 concept: This is a transparency mechanism that makes the principal-agent relationship incentive-compatible -- the agent cannot hide misappropriation
- Trade-offs: Does not prevent fraud entirely (could use borrowed assets to pass point-in-time checks). Requires standardization. Privacy concerns for large holders. Only proves solvency at snapshot time, not continuously
Customer deposits held in smart contracts that the exchange can only use for matching trades, not for lending or proprietary trading. Withdrawals go directly from the custody contract to the user's wallet, bypassing exchange control.
- Incentive change: Technically enforces the principal-agent contract. Exchange literally cannot misappropriate funds because the smart contract does not permit it. This converts trust from social (reputation) to technical (code)
- L07 concept: Commitment device -- the exchange credibly commits to proper custody because it has no technical ability to violate it
- Trade-offs: Reduces exchange efficiency (can't net trades off-chain). Higher gas costs. Smart contract risk replaces custodial risk. May reduce exchange competitiveness against non-compliant competitors
- Treating FTX purely as a "bad person" problem rather than a mechanism design problem -- the question is: what mechanism would have prevented a bad actor from succeeding?
- Proposing "don't use centralized exchanges" without acknowledging the liquidity and UX trade-offs
- Confusing FTT (exchange token) with FTX (exchange). FTT's role as collateral is important to the analysis
- Not identifying the bank run as a Nash equilibrium
Option C: The DAO Hack (June 2016)
| Date | Event | Key Actors & Incentives | Game-Theoretic Dynamic |
|---|---|---|---|
| Apr 30 | The DAO launches, raises 12.7M ETH (~$150M) from 11,000+ investors | Investors: attracted by novel governance model. Developers: ambitious but insufficiently tested code | Coordination success: largest crowdfund in history, but speed-to-market overrode security |
| May 26 | Security researchers publicly warn about reentrancy vulnerability | Researchers: responsible disclosure. DAO developers: attempted moratorium on proposals | Cheap talk: warnings without binding action left the vulnerability exploitable |
| Jun 17 | Attacker exploits reentrancy, draining 3.6M ETH into child DAO | Attacker: rational exploitation (high payoff, perceived low risk). DAO holders: stunned, unable to intervene | Exploitation equilibrium: given the vulnerability, a rational attacker will always exploit before it is fixed |
| Jun 17 - Jul 15 | 28-day withdrawal delay prevents attacker from moving funds | Community: uses delay window to organize response. Attacker: trapped by the DAO's own time-lock mechanism | Accidental commitment device: the time-lock (designed for governance) created a window for counterplay |
| Jul 15 | Community votes ~85% for hard fork | ETH holders: vote to recover funds. Minority: "code is law" -- oppose intervention on principle | Governance dilemma: majority rule vs. immutability principle. Schelling point: most people coordinate on "return the funds" |
| Jul 20 | Hard fork executes; ETH/ETC split | ETH supporters: funds returned. ETC supporters: maintain original chain on principle | Fork as exit: disagreeing parties split rather than compromising |
Point of no return: June 17, when the exploit occurred. Although funds were recovered via hard fork, the event permanently demonstrated that smart contract vulnerabilities can be catastrophic, and that "code is law" has practical limits.
Primary Mechanism Design Flaw
The DAO had two compounding flaws:
- Smart contract vulnerability (reentrancy): The splitDAO function sent ETH before updating state, enabling recursive withdrawal. This is a technical bug, but it reflects a mechanism design failure: the system did not account for adversarial execution ordering.
- Governance inadequacy: Despite public security warnings 3 weeks before the attack, the DAO had no emergency mechanism to patch the vulnerability or pause operations. The governance mechanism was too slow for security-critical decisions.
Incentive Misalignment
- Speed vs. security: The DAO launched quickly to capture momentum, but this meant insufficient security review. Developers were incentivized to ship fast (first-mover advantage) rather than ship safely.
- Attacker incentives: The vulnerability created a dominant strategy for any sufficiently skilled actor: exploit now, before it is fixed. The 28-day delay on splits created a window, but the attacker bet (incorrectly, as it turned out) that the community would not coordinate a response.
- "Code is law" ideology: The DAO community assumed that code execution was the social contract. This created a moral hazard for developers (if the code is always right, there's less incentive to audit thoroughly) and left no recourse for participants when the code behaved in unintended ways.
Nash Equilibrium Analysis
Pre-fork, the attacker's strategy was a best response: exploit a known vulnerability for $60M with (perceived) impunity. The community's response -- coordinating a hard fork -- was not a Nash equilibrium in the traditional sense because it required unprecedented coordination. The fork succeeded because the Ethereum community was small and cohesive enough to coordinate (a Schelling point formed around "return the stolen funds").
Trust Assumption Violation
The DAO assumed its smart contract code was correct ("code is law"). This assumption was violated when the reentrancy bug was exploited. More broadly, the assumption that governance could operate at the speed of code execution proved false.
Before any smart contract managing significant value goes live, require a mandatory security review period (e.g., 30 days) with bug bounties. During this period, the contract operates with limited funds. Full funding is released only after the review period with no critical findings.
- Incentive change: Aligns developer incentives with security by making deployment conditional on review. Bug bounty rewards make reporting more profitable than exploiting during the review period
- L07 concept: Incentive compatibility -- makes it rational for security researchers to report rather than exploit, and for developers to prioritize security over speed
- Trade-offs: Slows deployment (loss of first-mover advantage). Requires meaningful bounty funding. Does not guarantee all bugs are found (only those within reviewer skill). May create false sense of security
Implement an emergency pause function that can be triggered by a multi-signature group (e.g., 3-of-5 security reviewers). When paused, no fund movements are possible. Unpausing requires a broader governance vote (e.g., token-weighted vote with quorum).
- Incentive change: Creates a rapid-response mechanism for security incidents. The multi-sig requirement prevents abuse while enabling fast action. Converts the governance speed problem from "too slow to patch" to "fast enough to pause"
- L07 concept: Mechanism design with multiple equilibria -- the pause mechanism creates a new, safer equilibrium (pause + investigate) that dominates the old one (exploit runs unchecked)
- Trade-offs: Introduces centralization risk (multi-sig holders have power). Potential for abuse or coercion of key holders. Pauses disrupt legitimate users. Philosophical tension with "code is law" and decentralization
- Focusing only on the reentrancy bug without addressing the governance failure (both are needed for full marks)
- Claiming the hard fork "solved" the problem -- it recovered funds but created a precedent that undermines immutability
- Not recognizing that the 28-day delay was an accidental security feature, not a deliberate one
- Proposing "don't use smart contracts" -- this misses the point of mechanism design (improve the mechanism, don't abandon it)
Cross-Event Comparison (Instructor Reference)
| Pattern | Terra/Luna | FTX | The DAO |
|---|---|---|---|
| Reflexivity | UST/LUNA circular dependency | FTT token as self-referencing collateral | Governance token value dependent on DAO fund integrity |
| Speed of collapse | ~6 days | ~10 days | ~1 day (exploit); ~33 days (resolution) |
| Information asymmetry | Anchor yield unsustainability hidden | Alameda misuse hidden from depositors | Vulnerability known to researchers, not acted on |
| Bank run dynamics | UST redemption rush | Exchange withdrawal rush | N/A (exploit, not run) |
| Governance response | Too slow; halted chain | N/A (centralized, no governance) | Hard fork -- controversial but effective |
| Primary L07 concept | Incentive compatibility failure | Principal-agent / moral hazard | Incomplete contracts + governance design |
© Joerg Osterrieder 2025-2026. All rights reserved.