DeFi, Flash Loans, Exploits

Nine months ago, in a Denver convention center, a booth sat empty.

Littered with token stickers, the table was supposed to hold the physical representatives of decentralized finance (DeFi) protocol bZx. It remained empty, however, as the team struggled to make sense of the digital forces twisting their young project.

bZx, as they would come to find out, was 2020’s flash loan “patient zeroâ€.

DeFi, Flash Loans, Exploits
AFTER THE HACK: DeFi protocol bZx’s booth sits empty at ETHDenver.
(CoinDesk archives)

New cases haven’t stopped in the months since then. Take November: $2 million from Akropolis, then $3.3 million from Cheese Bank, followed by $6 million from Value Finance and finally $7 million from Origin Protocol.

Flash loans remain the common thread through all those recent attacks. These DeFi-native tools enable a savvy investor to take out unbacked loans and amass leverage behind a position. For example, Monday’s Origin Protocol attacker pulled a 70,000 ETH loan from decentralized derivatives platform dYdX. It enabled the attacker to up the amount of loot sucked out of the project.

Yet, while they may be the string connecting these exploits, flash loans are not the cause in and of themselves, industry leaders told CoinDesk.

Oracle manipulation and flash loans

It may not even be fair to characterize the recent DeFi exploits as “flash loan attacks,†Chainlink co-founder Sergery Nazarov told CoinDesk in an email.

Nazarov said flash loans at their core are just lump sums of capital thrown at success trade positions. The real issue lies with poorly constructed DeFi projects.

“While many are trying to frame this trend as the result of flash loans, most of these exploits could have been committed by any well-capitalized actor. All a flash loan does is temporarily make anyone a well-capitalized actor,†Nazarov said.

Read more: Everything You Ever Wanted to Know About the DeFi ‘Flash Loan’ Attack

DeFi’s projects are smart contracts deployed to the Ethereum blockchain. They require outside information, namely pricing data, to execute actions baked into each contract.

That pricing information is liable to distortions simply because of how the Ethereum blockchain packages transactions – that is, every 15 seconds. Prices can move every which way in 15 seconds, which forces smart contracts to act on stale data.

Moreover, many DeFi applications rely on in-house pricing oracles created by token reserves, non-decentralized pricing feeds or other ad hoc solutions. For example, Harvest Finance leaned on another DeFi project, Curve Finance, to price its token pools.

In cases like Harvest Finance, interoperability became a negative dependency. A flash loan worth $50 million deviated asset prices temporarily away from the market value, creating an arbitrage opportunity. A project that had a more robust pricing system wouldn’t have fallen prey to the exploit, the theory goes.

Are audits enough?

Another point developers are coming to grips with is that code audits alone don’t make a DeFi project safe.

Speaking with CoinDesk via Whatsapp, Quantstamp CEO Richard Ma said developers need to understand markets themselves, perhaps more so than the code they deploy to the Ethereum blockchain. Quantstamp has audited or consulted on multiple top DeFi projects such as Curve Finance, MakerDAO and SushiSwap, among others.

“Understanding the products and the business logic is much more time-consuming and important than a straight-up code review,†Ma said.

Indeed, Akropolis was audited twice by two separate firms, but still suffered a re-entrancy attack.

This sort of attack occurs when a smart contract’s backdoor is left ajar. The contract’s state – which records how many tokens the contract has, among other things – fails to update quickly enough when tokens are removed, allowing the attacker to move more coins out than okay. It’s not dissimilar to a lazy bank teller continuing to fork over funds from an overdrawn account.

Read more: Harvest Finance: $24M Attack Triggers $570M ‘Bank Run’ in Latest DeFi Exploit

Combining audit redundancies with insurance is a step at least one major cryptocurrency investment firm is now urging.

“We are recommending our portfolio companies to get multiple audits from more than one provider,†Paul Veradittakit, partner at venture capital firm Pantera, said in an email. “We also think that projects and investors may want to buy insurance to protect themselves.â€

It’s also notable that none of the top DeFi projects have suffered oracle attacks spurred by flash loans, dYdX founder Antonio Juliano told CoinDesk in a message. Many flash loans used in attacks have originated on his platform, which offers the product without a fee.

He said that “there’s a big divide between the well-engineered projects and others;†a divide being fleshed out in real time by flash loans.

“In the same way you wouldn’t blame Ethereum for an implementation detail of the chain being used for an attack, the way flash loans are being used in exploits is the fault of developers building insecure applications, not the flash loans themselves,†Juliano said.

Du lịch nhật bản, hướng dẫn du lịch Nhật và đánh giá địa điểm Nhật Bản Japan travel news, japan travel guides, japan holiday destinations and japan reviews

RELATED NEWS

Mike Novogratz: Bitcoin Investors Waiting for a New Narrative Shift

Mike Novogratz declared institutional investors are waiting for the next narrative shift in a recent interview at the Bitcoin 2021 conference in Miami. The CEO of Galaxy Digital thinks the market is now in a consolidation phase after the price crash last month. Novogratz also commented on what the rise of defi could mean for […]

Xem chi tiết: Mike Novogratz: Bitcoin Investors Waiting for a New Narrative Shift

Amazon Job Listing Seeks Blockchain Lead – Internet Giant Looks to Create ‘Business Use Cases Across Defi’

Amazon is looking for a blockchain expert, according to a job posting published on the company’s employment portal. The firm wants someone who is “passionate about blockchain and decentralized networks†and someone who can build innovative “business use cases†across decentralized finance (defi). Online Marketplace Amazon Hopes to Hire a Head of Product to Lead […]

Xem chi tiết: Amazon Job Listing Seeks Blockchain Lead – Internet Giant Looks to Create ‘Business Use Cases Across Defi’

Floyd Mayweather Gets Booed at Bitcoin Event for Saying ‘Another Crypto Will Be Just as Big as BTC’

The undefeated professional boxer Floyd ‘Money’ Mayweather recently spoke at the Bitcoin 2021 conference in Miami and was booed while speaking on stage. Mayweather’s speech wasn’t appreciated by members of the crowd because he didn’t discuss bitcoin much and toward the end, Mayweather said he believes another crypto will be “just as large as bitcoin […]

Xem chi tiết: Floyd Mayweather Gets Booed at Bitcoin Event for Saying ‘Another Crypto Will Be Just as Big as BTC’

Data Shows BSC Dapps Lost $167 Million Last Month From Flash Loan Attacks

Binance Smart Chain (BSC) decentralized applications (dapps) have been hit with a number of flash loan attacks in recent weeks. According to collected data by Rekt, during the last 30 days BSC has lost a total of $167 million from these flash loan exploits. Flash Loan Hackers Prey on Binance Smart Chain Dapps – $167 […]

Xem chi tiết: Data Shows BSC Dapps Lost $167 Million Last Month From Flash Loan Attacks

Data Shows BSC Dapps Lost $167 Million Last Month From Flash Loan Attacks

Binance Smart Chain (BSC) decentralized applications (dapps) have been hit with a number of flash loan attacks in recent weeks. According to collected data by Rekt, during the last 30 days BSC has lost a total of $167 million from these flash loan exploits. Flash Loan Hackers Prey on Binance Smart Chain Dapps – $167 […]

Xem chi tiết: Data Shows BSC Dapps Lost $167 Million Last Month From Flash Loan Attacks

Defi Economy Is Recovering Faster Than Most Crypto Assets After Market Rout

Decentralized finance (defi) exchanges and tokens are recovering a lot faster than a great number of digital assets that lost more than 40% in value last week. Defi tokens like curve, kyber network, terra, hxro, and more have been seeing double-digit gains. On May 23, the defi economy’s aggregate total-value locked (TVL) dropped to a […]

Xem chi tiết: Defi Economy Is Recovering Faster Than Most Crypto Assets After Market Rout

BSC Defi Protocol Burgerswap Loses $7.2 Million from a Flash Loan Attack

Another Binance Smart Chain project has been hit with a flash loan attack according to a post mortem written by the Burgerswap team. The project’s official Twitter account said at around 3 a.m. on Friday, Burgerswap suffered from a flash loan attack with the hackers stealing $7.2 million in funds. Binance Smart Chain Defi Protocol […]

Xem chi tiết: BSC Defi Protocol Burgerswap Loses $7.2 Million from a Flash Loan Attack

BSC Defi Protocol Burgerswap Loses $7.2 Million from a Flash Loan Attack

Another Binance Smart Chain project has been hit with a flash loan attack according to a post mortem written by the Burgerswap team. The project’s official Twitter account said at around 3 a.m. on Friday, Burgerswap suffered from a flash loan attack with the hackers stealing $7.2 million in funds. Binance Smart Chain Defi Protocol […]

Xem chi tiết: BSC Defi Protocol Burgerswap Loses $7.2 Million from a Flash Loan Attack

Flash Loan Attacks Drain 2 Binance Smart Chain Defi Projects for $6 Million

There’s Close to 300,000 Bitcoin-Pegged Tokens Hosted on ETH and BSC, Value Exceeds $12 Billion

Promising Integrations Join the Polkadot Ecosystem

Defi Economy Lost $20 Billion This Week, Decentralized Exchange Volumes Still Sky High

There’s Close to 300,000 Bitcoin-Pegged Tokens Hosted on ETH and BSC, Value Exceeds $12 Billion

Ethereum’s Q1 Stats Report Highlights Blockchain’s ‘Ultra Sound’ Financial Growth in 2021

Ethereum’s Q1 Stats Report Highlights Blockchain’s ‘Ultra Sound’ Financial Growth in 2021

Defi Project Rari Capital Hacked for $10M in Ether, Project’s Pool Drained for 2,600 ETH

Other Articles