Black Thursday for DeFi: Wounds to Lick and Lessons to Learn
The market crash of March 12th presented the DeFi sector with a real trial. Even the DeFi flagship MakerDAO couldn’t withstand the crisis losing $8 million to unscrupulous network participants during what is now known as Black Thursday. Yet, it’s not the only recent problem of the DeFi sector.
Andrey Tukmanov, an independent researcher, provides the details of the recent attacks on DeFi projects and explains the lessons the DeFi sector should learn from its misfortune.
On February 14th, a specific transaction took place affecting seven DeFi projects at once. The attacker spent about $8 on network fees and got away with an estimated $350,000.
During the attack, the price of Bitcoin against Ether on Uniswap exchange tripled. The main victim of the attack was a margin trading protocol bZx.
Uniswap is an automated liquidity pool where the price is calculated with a simple formula and grows significantly with larger volumes.
Total trading volume on Uniswap in March. Source: zumzoom
Margin traders take a loan to buy an asset they expect to grow in price. If the price goes up, the trader sells the asset, pays the loan and interest, and keeps the rest. If the price goes down, the trader faces losses. During all this, the assets are controlled by a smart contract.
A smart contract bought over $1,5 million worth of BTC when opening a short position with 5X leverage. bZx developers didn’t check the coverage thinking that one in their right mind wouldn’t risk 1,300 ETH.
But the intent of the attacker was to manipulate the Bitcoin price on Uniswap. They sold 112 BTC at a 63% higher price than the market and got $700,000.
Details of the Attack
The attacker was using a new tool called flash loan. A flash loan is an instant loan that is repaid within the same transaction it was issued in. If the money doesn’t return, the contract automatically undoes all changes.
This mechanism allows for safe uncollateralized loans. Usually, flash loans are used for arbitrage or liquidations: you buy low and sell high. During the Black Thursday, flash loans were instrumental in saving collaterals, but the attacker acted differently. They took a 10,000 ETH loan ($2.8 million at that time) on dYdX exchange and split it in two. The first part was sent to bZx for manipulation and the second was used for arbitrage.
Flash loan volume in ETH. Source: Aave
Flash loans allowed the attacker to make the scheme substantially cheaper to pull off, as there was no need to seek a large sum that would require laundering. Moreover, the loan itself was virtually free.
In the wake of the "Black Thursday" events, what does #DeFi build next? 🧐
— Aave (@AaveAave) March 14, 2020
On February 17th, after restoring operations, bZx faced another attack. This time the attacker used flash loans to manipulate the price of sUSD stablecoin. As a result, the protocol issued an uncollateralized loan. The estimated damage amounted to $650,000.
DeFi projects usually pull the price feeds needed to calculate the collaterals from decentralized exchanges. Because of the low liquidity on such platforms, the prices are prone to manipulation.
bZx developers were initially receiving information from a liquidity aggregator Kyber but changed to the Chainlink oracle network after the attack. Chainlink participants get prices from different exchanges and record them in the Ethereum network. To protect the system from fake information the average of the prices is calculated.
When the market was in a panic, Chainlink hogged 22% of the total Ethereum bandwidth, so the oracle network had to decrease the required amount of votes for reaching consensus from 21 to 7.
At one point the requester (Chainlink team) was submitting so many request transactions that it was actually consuming 22% of Ethereum's total bandwidth, compounding the problem even furtherhttps://t.co/sSuwgJyrW6
— ChainLinkGod.eth (@ChainLinkGod) March 14, 2020
After the Ethereum network congestion issues on Black Thursday, it looks like the parameters on some https://t.co/hO9I0FPjb2 price feeds have changed
— ChainLinkGod.eth (@ChainLinkGod) March 14, 2020
MakerDAO uses its own oracle network that collects data from exchanges and calculates the average via a smart contract. This is an expensive system and the developers want to upgrade it. Since many DeFi protocols use MakerDAO’s oracles, it may influence the entire sector.
What Should the DeFi Sector Do?
These attacks illustrate the vulnerability of DeFi projects during periods of high volatility. The complicated formulas underlying their algorithms simply don’t work.
An important part of a security audit for such projects is stress testing that shows how smart contracts behave in extreme scenarios. Another is monkey testing based on seemingly random actions. Tests like these help identify new attack vectors that may open with the introduction of new features like flash loans.
DeFi implies collective governance. The higher is the level of decentralization, the more time it takes to make a decision.
Certain systems can be shut down to keep the assets safe, but such disruption may lead to losses when the market is unstable. Many teams have already tweaked their limits to make manipulation harder.
- MakerDAO needed 24 hours to tweak settings after the attack.
- bZx vulnerability led to a situation where over $2 million were at risk for 16 hours.
- Compound upgraded their system to give extra emergency rights to the developers and created an algorithm in case of an emergency MakerDAO shutdown.
- dYdX ramped up their trading thresholds.
There should always be a contingency plan if there is no way to avoid losses.
Three weeks after the attack, bZx developers published a post where they describe the actual attack and the measures taken to get the situation back to normal. They put forth a set of quite bold forecasts for the next 265 years. Yet, as it was published three days before the crash, there may be some adjustments required.
Traders may now close their position. The audited changes have been made.
— bZx (@bzxHQ) March 10, 2020
MakerDAO liquidators didn’t do their job properly during the attack. The error in the general code didn’t allow users to take part in the auction. The negative experience will probably incentivize the development of alternative clients since for the majority of DeFi protocols there are only official libraries.
Punishment for the participants responsible for the system’s operation may also become an additional security measure.
The emergence of tools like flash loans will likely lead to certain limitations and KYC procedures. Licensing the participants of the DeFi sector may become a business model.
The developers of the main existing protocols will try to fill up their reserves to prepare for future attacks.
Decision making will be requiring more and more data, oracles will get more complicated and take on the risk management functions.
All these aspects will create new challenges in terms of processing power and DeFi may migrate to second-solutions.
Subscribe to our Newsletter<
- Binance and Coinbase Accused of Insider Trade (Again)
- Google to Fight Online Ads That Use Built-In Crypto Mining Scripts
- Cryptocurrency Documentary Review: Should You Watch It and Why
- Baking Bad Founder: How My Team Won Development Grant From Tezos Foundation
- Government Blockchain Consultant: Smart City Comes After Smart Citizens
- CoinJanitor: The Shitcoins’ Highlander out to Kill All Your Shitcoins
- YouTube Strikes Again: Tone Vays’ Channel Deleted and Restored Overnight
- U.S. Is Almost Compliant With FATF Recommendations on Crypto