Grace is an L2-first cross-margin lending protocol that fairly distributes losses if they occur, making it resilient to oracle manipulation, volatility and exploits.

The bankrun problem

1. Bad debt is accrued. A lending protocol experiences some loss either due to vulnerable code, collateral price volatility or oracle manipulation.

2. Liquidity is consumed. The first lenders to withdraw the remaining the liquidity share none of the losses while those unlucky enough to withdraw last lose their entire deposit.

3. Everyone runs for the exit. This incentivizes a bank run because even a loss as small as 1% of the protocol’s TVL can cost a depositor 100% of their deposit if they're too late to withdraw.

4. The protocol becomes unusable. Any new lenders entering the pool would be adding exit liquidity for existing stuck lenders, allowing them to transfer their previous losses to the new lenders.

The Graceful solution

1. Prepare for the worst. The lending protocol must expect and be able to absorb any amount of loss. Grace achieves this by immediately distributing any loss equally among lenders.

2. Manage exposure. Exposure to each collateral in the pool must be limited and predictable. Grace caps total exposure to each collateral in dollar terms.

3. Compensate risk. Borrowers should compensate lenders for the collateral risk they're taking. Grace charges borrowers a yearly fee based on their choice of deposited collateral and uses the proceeds to compensate lenders for their risk.

4. Implement circuit breakers. Even in the presence of a loss distribution mechanism, the protocol should minimize potential losses. A Pessimistic Price Oracle renders most oracle manipulation attacks unprofitable against Grace. A global daily borrow limit also caps the maximum possible damage by an attack over a single day.