DeFi under scrutiny after flash loan trades expose system’s vulnerabilities

In the past week, an anonymous market manipulator instigated a sophisticated arbitrage attack against the bZx decentralized finance lending protocol, netting the “bad actor or group” an estimated $350,000 worth of ETH. In the days that followed, bZx suffered a separate Oracle-based attack. The suspect this time, whose method of attack mirrors that of the previous attack, garnered approximately $650,000 in ETH.  

​bZx is a lending and margin trading protocol on Ethereum, atop which Fulcrum is a front-end project that offers these bZx services at its core. The method utilized for the alleged heist was not an unauthorized intrusion across these projects and others, but rather a complex arbitration-like opportunity. The trader followed the rules of the said contract and loan system. They “apparently” exploited a logic bug in the smart contract intended to check that all positions end up safe. They took advantage of the low liquidity markets employed clear market manipulation tactics. 

​Both incidents involve a case of flash loans, a new type of Decentralized Finance (DeFi) primitive that allows users to conduct sophisticated sequences of financial activities within a single transaction. In simpler terms, these flash loans permit users to create a loan produced once it has been paid back, all in one transaction. This benefit makes flash loans a powerful tool and is subsequently one the crypto-economy now regards to be a double-edged sword. 

Flash Loans are marketed as “risk-free” because they leverage the ability of the Ethereum blockchain to execute atomic transactions. This safeguard means that if the Flash Loan fails because the executor does not return enough funds, the transaction is reversed. These flash loans enable merchants to take out a contract with no backing in which they take away the desire for collateral in the loan. Arbitrageurs use flash loans to stay on the side of good deals, which they code to hold out calculated arbitrage trades: the simultaneous shopping for and promoting of belongings in numerous markets.

Investigations into the event suggest an attacker or group of attackers used an Aave flash loan to borrow 10,000 ETH from the dYdX protocol. The small trove was then used to launch the DeFi attack.  ​The attacker put half of those funds into the Compound lending dApp, with which they borrowed 112 WBTC, a tokenized ERC20 version of Bitcoin. In a separate move, the suspect went to the bZx protocol and shorted WBTC on margin. And to depreciate the price, the agent sold borrowed WBTC on Uniswap, which cause the token price to tank, thus satisfying the bZx short effectively. The attacker, consequently, paid back the Aave loan and profited by some $350,000.  

​All events in the narrative occurred within a single transaction with no original collateral needed. It was both an ingenious and nefarious move, and would possibly lead to further speculation and uncertainty in the DeFi community in the future.

​Following the bZx assault, the DeFi sector reported a significant loss in locked-up belongings, falling an estimated $140 million from a peak of $1.2 billion on February 18. Weeks previous to the assaults, DeFi boasted a milestone $1 billion in whole locked-up assets. This deterioration was particularly noticeable in locked Ether, with total losses around 200,000 ETH, according to analytics.

​The DeFi movement is still in its early stages while the market remains on the road to maturity. Still, the sector is working without enough sandbox, an omission that could undoubtedly trigger more hiccups down the road. Developers can avoid these scenarios by exercising a thorough smart contract auditing process. In the aftermath, the bZx team has taken precautionary measures to defend against new assaults while DeFi stakeholders are now on high alert to further nefarious attempts against even larger-scale projects.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.