The 'flash loan' attack DeFi changed everything

    Flash loans (flash loan) have become the focus of recent attention. Two hackers used flash loans to attack the bZx margin trading protocol. The first transaction occurred during the $ 350,000 raid and a similar copy for $ 600,000.

    For better or for worse, these attacks have to be admitted in some way, very “miraculous”. In each occurrence, the penniless attacker immediately borrowed hundreds of thousands of dollars of ETH, then put up a chain of vulnerable on-chain protocols, extracting hundreds of thousands of dollars. The property was stolen and then returned huge ETH loans. All of this happens instantly, in a single ETH transaction.

    No one knows the identity of these attackers or where they came from. Both start from scratch and stole hundreds of thousands of dollars, leaving no trace.

    Prior to these attacks, Haseeb Qureshi, managing partner at Dragonfly Capital's cross-border venture capital fund thought a lot about flash loans and their implications for DeFi's safety.

    In short, he believes that flash loans are a major security threat. But flash loans will not go away and we need to think carefully about their impact on DeFi security in the future.

    What is a flash loan?

    The concept of flash loans was first adopted by Marble Protocol given in 2018. Marble advertises itself as a “smart contract bank” and its product is a simple yet great DeFi innovation: risk-free lending through smart contracts.

    How can a loan be risk-free?

    Traditional lenders have two forms of risk. The first is the default risk: If the borrower runs out of money, that's obviously very bad. But the second risk to the lender is the illiquidity risk: If the lender lends too much property on time or does not receive timely repayments, the lender may be liquidated regardless suspected and unable to meet his obligations.

    Flash loans minimize both of those risks. A flash loan basically works like this: I will lend you as much money as you want for this single transaction. But at the end of the transaction, you pay me at least the amount I lend you. If you are unable to do that, I will automatically resume your transaction! (It's correct, smart contract can do that.)

    Put simply, your flash loan is atomic. If you do not pay back the loan, the whole thing will be reverted as if the loan never happened.

    Things like this can only exist on the blockchain. You can't make flash loans on BitMEX because smart contract platforms process each transaction, so everything that happens in the transaction is done in a pay-per-view manner. As such, your transaction has a “freeze time” while it is in progress. On the other hand, a centralized exchange may have conditions such that your order cannot be executed. On the blockchain, you are guaranteed that all code runs in line after stream.

    borrow-flash

    Flash lending exploit code through Remco Bloemen

    Economically, traditional lenders are compensated in two ways: the risk they are facing (default risk and liquidity risk) and the opportunity cost of the capital they are lending (for example, if I can get 2% interest elsewhere on that capital, the borrower must pay me more than 2% without risk).

    Flash loans are not like that. It has no risks and no opportunity costs! This is because the borrower “freezes time” during the flash loan, so in the eyes of anyone else, the system's capital is never at risk and never freezes, so it cannot earn. gain interest elsewhere (no interest cost opportunity).

    That means there is no cost to become a flash lender. This is extremely counterintuitive. So what is the cost of a flash loan at equilibrium (ie when the supply and demand equilibrium)?

    Basically, flash loans should be free. Or, rather, there should be a fee small enough to depreciate the cost of including the 3 additional lines of code to make a loanable asset fast.

    Flash loans cannot be charged interest in the traditional sense, because it operates at zero (every APR * 0 = 0). And of course, if flash lenders charge a higher interest rate, they will quickly be defeated by other groups of flash lenders.

    Flash lending makes capital a real commodity. This race to the bottom certainly leads to zero or very little fee, just symbolic. The dYdX exchange now charges a zero fee for flash lending. On the other hand, AAVE charges 0.09% of the loan principal. The author doubts this is unsustainable and the fact that their community has called for a zero discount (Note that both of the above attacks use AAVE as the flash loan pool).

    Flash attacks have great security implications

    What flash loans really bring us is probably flash attacks, or in other words, intensive attacks funded by flash loans. The author has drawn this conclusion in recent bZx hacks and he suspects that it was just foreplay.

    There are 2 main reasons why flash loans are particularly attractive to attackers:

    1. Many attacks require a lot of previous capital (such as oracle manipulation attacks). If you make a positive ROI of $ 10 million ETH, then that's probably not the difference – you might come across some pointless things.
    2. Flash lending minimizes 'stains' to attackers. If I have an idea of ​​how to manipulate the oracle with $ 10 million ETH, even if I own that ETH, I might not want to risk it with my own capital. My ETH will be invalidated, the exchanges may reject my deposit and it's hard to launder the money. Very risky! But if I use a flash loan for $ 10 million, who knows? DYdX's collateral pool won't be considered 'unclean' just because that's where I borrowed money. The 'stain' on dYdX will slowly be forgotten.

    There is no way exchanges will be blacklisted on today's blockchain security model because doing so is quite central. But the type of computation behind these attacks will be widely reported.

    In white paper Bitcoin, Satoshi famously stated that Bitcoin is protected from attack because:

    An attacker must find a higher profit when playing by the rules rather than weakening the system and its validity his property ".

    With flash loans, an attacker doesn't need to spend money to gain benefits. Flash loans significantly change the risk for an attacker.

    borrow-flash

    Haseeb Qureshi

    And remember, flash loans can overlap! Depending on the gas limit, you can sum all the groups that can borrow flash in one transaction (up to $ 50 million) and bring all that capital into a vulnerable contract. Yes, it is exactly a $ 50 million on-chain pit that anyone wants to get in, as long as money goes into their pockets. It's so scrary.

    What does all this mean in the long run?

    Haseeb Qureshi believes that bZx attacks have changed everything.

    This will not be the last flash attack. The second bZx attack is a replica of the first and he doubts it will create a wave of attacks in the coming months. Now, thousands of smart teenagers from the most remote places in the world are sneaking into DeFi and trying to find out if there's any way they can launch a flash attack. Just by exploiting a hole, they can earn a few hundred thousand dollars – a life-changing money in most parts of the world.

    For protocols, flash attacks mean the threat pattern is slowly changing. Having a flash attack after the bZx hack is as confusing as being hacked re-entrancy after the DAO hack: you will become the joke of the cryptocurrency world. You should have been wary of that.

    Finally, these situations remind the author of an old concept in the field of cryptocurrency: miner-extractable value – MEV). MEV is the total value miners can receive from the blockchain system, including block rewards and fees. In addition, there are mining values ​​by trickery such as rearranging transactions or inserting fake transactions into a block.

    In a nutshell, you should remember that all these flash attacks are single transactions in mempool that generate tons of money. For example, the second bZx attack yielded a profit of 645. ETH dollars in only one transaction. If you're a miner and you can start mining a new block, maybe after observing the previous block transactions and telling yourself: "Why am I trying to mine a new block for the price ~ 500 dollars, while that last block contained 645K profit dollars in there ?? "

    Many will wish they could go back in time and try to rewrite history to become flash attackers instead. Because the transaction alone was worth more than 4 hours of mining ETH blocks honestly!

    This is similar to having a special mega block containing 1,000 times the regular block reward – as you would expect. The logical outcome of such a mega block is to make the miners compete to isolate the chain and steal the block for themselves.

    In equilibrium, all flash attacks should be extracted by the miner. (Note that they will eventually steal all on-chain price differences and liquidation transactions.) Ironically, this will play a role in preventing flash attacks, as it will prevent attackers from making money from these vulnerabilities. Perhaps the miner will eventually start attracting attack code through private channels and pay the attacker for search fees. Technically, this can be done on a no-trust basis using zero-knowledge proofs. (That's strange isn't it?)

    But right now, science fiction is pretty good. Miner obviously doesn't do this today.

    Why don't they do that?

    There are countless reasons. Such as on the Ethereum Virtual Machine. It is very risky because an error could result in loss of money or an orphan, causing a ruckus. From there, the phishing mining pool could face PR crisis and be considered an “enemy of Ethereum”. As such, miners will likely lose more revenue and orphaned blocks than they earn by trying to do this.

    That is true today but not necessarily true in the future.

    From there, there is even more motivation for Ethereum to quickly switch to Ethereum 2.0. DeFi on Ethereum, while great and attractive, can be completely broken and unrecoverable. DeFi is unstable on the PoW chain, because all high-value transactions require refinancing miners (also known as time bandits' attacks – time bandit attack).

    In order for these systems to operate at scale, it is imperative that miners cannot rewrite validation blocks. This will protect the blocks beforehand without re-funding. In addition, if DeFi protocols exist on separate Ethereum 2.0 shards, they will not be subject to flash attacks.

    According to estimates, flash attacks give us a small but useful reminder that it is still only 'budding'. We are still far from having a sustainable architecture to build the financial system of the future.

    Until now, flash loans are very new. But in the long run, all assets on Ethereum will have flash loans. All collateral held by exchanges such as Uniswap could all be ERC-20.

    Who knows, it only has a few lines of code.

    Minh Anh

    Bitcoin Magazine | Coindesk

    Follow the Twitter page | Subscribe to Telegram channel | Follow the Facebook page

    Crypto loans are only from 5.9% annual interest rate – you can use the money effectively without selling coins. Earn up to 8% interest per year with stablecoin, USD, EUR & GBP with insurance up to 100 million. Come on, get started now! →

    No comments