For the cryptocurrency market, the same asset has different prices on different exchanges. These price differences allow traders to make profits by trading on different platforms. When flash loans enter the DeFi world, the cost of arbitrage is lower. This sounds like a good thing, but vulnerabilities in DeFi protocols increase the risk of funds being stolen. As V God said, there are short-lived arbitrage opportunities and unknown risks on both ends of the balance of high interest rates.
When you gaze into the abyss, the abyss gazes into you.
However, is all this really because of flash loans? The following is a summary of several recent flash loan attacks and the arbitrage logic behind them.
1. Summary of recent typical DeFi hacking incidents
1. Value DeFi
At 23:36 on November 14th, Beijing time, Value DeFis MultiStables Vault pool was hacked and nearly $7.4 million in DAI was lost. Because the Value DeFi protocol has a loophole when using the price oracle machine (Curve) based on the AMM algorithm to calculate the token price. The attacker first manipulated the price of the token on Curve through flash loans, and then used the minted pooltokens to successfully extract 3CRV tokens far exceeding the original value. Afterwards, the attacker redeems these 3CRV tokens for DAI on Curve, thereby completing the profit.
2. Akropolis DeFi
On November 13, the DeFi lending agreement Akropolis protocol was hacked and lost about 2 million DAI. Akropolis founder and CEO Ana Andrianova said that the attacker used the flash loan on the derivatives platform dYdX to carry out re-entry attacks. The attacker re-enters the deposit function of the Akropolis contract using the token constructed by himself, causing the Akropolis contract to mint coins twice with the same difference, but only one transfer is triggered. When the attacker withdraws, he can withdraw two Double the income, so as to make a profit.
3. Cheese Bank
At 3:22 am on November 7, hackers used Flash loan to attack Cheese Bank, a decentralized digital bank, and made a profit of 3.3 million US dollars through a transaction. Through tracking and analysis, PeckShield found that the attacker first lent a large amount of ETH through dYdX flash loan. Subsequently, 50 WETH were exchanged for 107,000 CHEESE (Cheese Bank token) in Uniswap V2. Cheese Bank uses the amount of WETH in the liquidity mining pool UNI_V2-CHEESE-ETH to measure the price of the corresponding UNI_V2 LP certificate. The attacker can effectively lend more USDC, USDT, and DAI by increasing the price of the UNI_V2 LP certificate. Finally, the attacker obtained a huge arbitrage profit after returning the ETH to dYdX flash loan.
4. Harvest Finance
On October 26, the Harvest Finance project suffered a flash loan attack and lost about $24 million. The economic attack launched by the hackers was carried out through the Curve Y pool. Hackers instantly manipulated the exchange rate of stablecoins on Curve through flash loans, and then recharged a certain stablecoin at a low price on Harvest, and bought back the sold stablecoins on Curve to restore the normal exchange rate. Harvest withdrew cash to earn the exchange rate difference.
2. Reflections on DeFi attacks
DeFi generally refers to encrypted assets, financial smart contracts and agreements built on smart contract platforms. This year, DeFi has attracted much attention by absorbing tens of billions of funds, but at the same time, a group of people dubbed scientists has emerged to rely on technical strength and knowledge threshold to specialize in DeFis wool, and use DeFi to arbitrage to obtain huge profits. In the world of DeFi, these scientists program borrowing, transfer (execution), and repayment into a transaction sent to a smart contract, so as to achieve low or even zero cost in various DeFi High-value arbitrage between protocols, or the use of composability loopholes to attack and steal huge amounts of funds.
There are currently two main modes of using DeFi for arbitrage:
1. Profit from interest rate differentials between cryptocurrency products
The interest rates in the DeFi market are relatively high, mainly for the following two reasons:
(1) The decentralized DeFi protocol is still in the early stage of development. Factors such as the high volatility of cryptocurrencies, over-collateralization, and smart contract risks will prompt the DeFi protocol to provide users with high interest rate risk compensation. Since the same funds deposited in the traditional financial lending market will bear lower risks, the DeFi market needs to use high interest rates to compensate for the risk exposure brought to investors by the decentralized mechanism.
(2) High interest rates help some new DeFi projects to start cold. At present, the mature DeFi market with liquidity mining has absorbed most of the funds. Some new DeFi projects cannot provide liquidity incentives because they have not yet issued governance tokens, resulting in poor liquidity in the early stage of the project, so high interest rates can be good Attracting users to achieve the effect of drainage, but at the same time there will also be arbitrage opportunities between DeFi markets.
Arbitrageurs can borrow at low interest rates in one DeFi market and deposit assets in another DeFi market for high interest rates. Arbitrage opportunities arise when there is a difference in borrowing and deposit rates between platforms and the deposit rate is higher than the borrowing rate.
2. Arbitrage using the loopholes in smart contracts and the characteristics of flash loans
Flash loan refers to a loan method implemented by utilizing the rollback feature of blockchain transactions. Users can borrow a huge amount of money at very low interest rates without collateral. Users only need to return the loaned money and interest in the same transaction. Flash loans themselves are not loopholes. Flash loan attacks refer to attacks that use flash loans combined with other vulnerabilities, mostly attacks such as arbitrage and price manipulation. Developers can borrow money from the reserve pool of DeFi projects that support flash loans, on the condition that the funds are returned to the pool before the transaction is closed. If such funds are not returned to the reserve in time, the transaction will be reversed to keep the reserve pool safe.
Although the methods and scope of flash loan attacks are different, the protocols they attack all have one thing in common, that is, they only obtain price data from a certain decentralized exchange. For example, the victim of a flash loan attack is a DeFi lending protocol that obtains price feed data from a decentralized exchange. The operation steps are as follows:
(1) Borrow a large amount of token A from an agreement that supports flash loans;
(2) Exchange token A for token B on a decentralized exchange;
(3) Put the converted token B in another DeFi protocol as collateral, and the decentralized exchange in the previous step is the only source of price data for this DeFi protocol; since the price data is manipulated, it can be borrowed Token A higher than the normal amount;
(4) Use part of the pass A to repay the previous flash loan loan, and then put the remaining pass in your pocket to make an improper profit;
(5) As the prices of Token A and Token B in the decentralized exchange gradually return to the real level through arbitrage trading, the DeFi protocol will have a situation where the debt value exceeds the collateral value, which will directly damage the security of other normal users. Benefit.
At present, there have been many hacking problems caused by smart contract vulnerabilities in the cryptocurrency market, which have threatened user funds. Therefore, borrowing and lending large amounts of funds through smart contracts requires DeFi to have extremely high security.
Flash loan is created through the blockchain. As a new lending model that does not exist in the traditional financial world, it greatly enriches the application scenarios of DeFi and lowers the market entry threshold. It is innovative, but it does not Should become an accomplice of hackers to gain profits. Although hackers have frequently used flash loan funds to attack DeFi protocols recently, the value of flash loan itself as a financial tool should not be ignored. The flash loan itself does not create a risk loophole, it only exposes the existing risk loophole in the DeFi protocol, that is, the risk of price manipulation caused by the transmission of distorted data by the oracle machine.
The arbitrage behavior in a financial market itself has its positive impact, and it can reasonably price the asset targets in the market. In the digital currency market, the price of cryptocurrencies often changes significantly due to relevant information such as regional policies and favorable cooperation. Arbitrageurs can accurately position the prices of cryptocurrencies in various exchanges in the market through the arbitrage mechanism to achieve the current state of supply and demand balance. . At the same time, the arbitrage mechanism can make the overall cryptocurrency market more standardized and transparent, so that each exchange can feed back the real asset price trend. Arbitrage behavior can also promote the consensus of global users on encrypted assets and accelerate the future development of the entire industry.
However, DeFi protocol developers should learn from the frequent occurrence of hacking incidents caused by smart contract vulnerabilities. Project developers should fully consider such extreme situations when designing business logic. At the same time, they should find professional audit institutions to conduct audits and research to prevent various possible risks.
As for the participants, there is only one eternal commandment--investment is risky, and you need to be cautious when entering the market.
