Flash attacks on decentralized finance (DeFi) platforms will be the new normal, according to Haseeb Qureshi, managing partner at Dragonfly Capital, a cryptocurrency venture fund. In the wake of consecutive attacks on Ethereum-based DeFi platform bZx, industry insiders are rethinking how the decentralized finance movement, which allows users to engage in tokenized margin trading and lending, will wrestle with bad actors who are able to exploit holes in the system.
Qureshi is anticipating an influx of attacks.
“We saw the first glimpses of this in the recent bZx hacks, and I suspect that’s only the the tip of the spear.”
BZx got hit back to back, with the first attack stealing roughly $350,000 in Ethereum (ETH) from the startup’s lending platform Fulcrum.
The first attack, launched on February 14th, involved a flow of maneuvers to net a profit of 1,193 ETH, currently worth $275,344.
- A flash loan from dYdX for 10,000 ETH was opened.
- 5500 ETH was sent to Compound to collateralize a loan of 112 wBTC.
- 1300 ETH was sent to the Fulcrum pToken sETHBTC5x, opening a 5x short position against the ETHBTC ratio.
- 5637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap reserve, causing large slippage.
- The attacker swapped the 112 wBTC borrowed from Compound to 6871 ETH on Uniswap, resulting in a profit.
- The flash loan of 10,000 ETH from dYdX was paid back from the proceeds.
A larger copycat attack occurred days later, wiping out 2,388 ETH worth $559,000. Writing in bZx’s Telegram channel, co-founder Kyle Kistner characterized it as an “oracle manipulation attack.”
“Flash attacks have big security implications. I’ve increasingly come to believe that what flash loans really unlock are flash attacks – capital-intensive attacks funded by flash loans.”
Flash loans are well suited for blockchains because they allow entire transactions to be rolled back. If a lender sends ETH to a borrower but the borrower is not able to repay the debt, the lender can undo the loan through a smart contract that nullifies the original transaction.
Says Emilio Frangella, a developer at fintech startup Aave,
“Seems completely risk free right? Well, not completely. While very small, there is still a certain degree of risk involving smart contracts and the underlying layer (the blockchain itself). Flash Loans leverage a specific condition to work which enforces that the funds are returned at the end of the execution. There is still the remote possibility that a bug is found in the bytecode of the contract, or at a deeper level in the EVM [Ethereum virtual machine], that might allow an attacker to circumvent this condition.”
As the DeFi movement attempts to disrupt traditional finance at scale, the early days are opening the door to anonymous actors who can destabilize the disruptors. Says Qureshi,
“With flash loans, attackers no longer need to have any skin in the game. Flash loans materially change the risks for an attacker.”
By hitting the reset button on incentives, flash loans are a game-changer that come with a new set of challenges. Adds Qureshi,
“I believe flash loans are a big security threat. But flash loans are not going away, and we need to think carefully about the impact they will have for DeFi security going forward.”
Jon Evans, founding director of the GitHub Archive Program, isn’t so sure. Perhaps the DeFi movement is actually a newfangled, overblown and over-hyped model that will never entice the Everyman to disrupt the status quo on the scale it intends.
“What is the point of ‘borrowing money using money as collateral‘ for the 99.9% of people who aren’t true-believer HODLers loath to even consider simply selling their crypto?”
You can check out Qureshi’s full analysis here.
Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any loses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.
Featured Image: Shutterstock/Elnur