DeFi Gets Flash F*cked

A Look Into The Recent bZx Exploits Using Flash Loans

Over the past year, Ethereum has seen substantial growth thanks to the rise of DeFi.

One of the biggest reasons for this success is the notion of composability - or the ability to combine multiple products with one another for unique services.

Up until this week, it was difficult to see any glaring issues with composability. However, within the past 7 days, the industry saw two clever attacks in which composability was used to exploit significant arbitrage opportunities to the tune of roughly $1M.

The most interesting part of these exploits (described below) is that there was no breach of code. Rather, the attackers submitted mega-transactions that included a crazy amount of actions to earn profit by leveraging different DeFi tools.

Beneath both of these attacks were a common vector of Flash Loans - or the ability to borrow capital for an extremely small window of time - or in this case, for one block.

In this week’s article, we’ll dive into how Flash Loans are intended to be used, along with analyzing how these attacks used them to “flash-f*ck” DeFi.

-Lucas and Cooper

$RIC 🐚 @ricburton

“The core of the debate here is whether we should be ruled by machines or by economics. When you have an immutable contract that can’t be upgraded, you are ruled by machines.” This is an absolutely incredible post-mortem on the #FlashFucking ⛈⛈⛈ Wow

bzx.networkPost-MortemThis report is to issue a comprehensive accounting of the events and our response. TL;DR: No users have lost funds or will lose funds. Funds are SAFU

1:21 AM ∙ Feb 18, 2020

---

---

Flash Loan Use-Cases

As a relatively new concept to the DeFi ecosystem, Flash Loans were created as a way to expedite transactions by batching multiple actions into a single block.

When executed properly, Flash Loans allow users to rebalance a position quickly and effectively - ultimately saving time and costs while providing a safeguard from liquidation penalties.

Smart contracts essentially allow users to borrow capital and repay them in a single transaction by routing different collateral through DeFi protocols.

Flash loans do not require collateral to initiate, meaning they can be used for a wide variety of DeFi uses including but not limited to:

• Liquidation Protection

• Self-Hedging

• Self-Liquidations

• Arbitrage Opportunities

• Collateral Swaps

• Debt Refinancing - Interest Rate + Currency Swaps

Flash loans are most commonly used by Aave and dYdX, with each varying slightly in their fee size:

Antonio Juliano @AntonioMJuliano

@lemiscate @PhABCD @JordanLzG @DegenSpartan @AaveAave @dydxprotocol @bzxHQ @UniswapExchange There’s no risk to dYdX when someone takes out a flash loan, and it doesn’t cost dYdX users anything Having them free has made our product better, since we can offer things like no-fee margin trades Somebody is always going to have 0 fee flash loans since it costs nothing

12:37 AM ∙ Feb 16, 2020

---

With this in mind, let’s dive into how attackers were able to use Flash Loans for some serious gains.

First Hack

In the midst of the EthDenver hackathon, news came out of a potential exploit in bZx and its underlying lending platform, Fulcrum. While it was initially thought to be a direct attack on the smart contract, it became apparent that all protocols involved in the exploit worked as intended - ultimately meaning this “attack” was just a highly sophisticated arbitrage exploit that leveraged flash loans.

bZx @bzxHQ

Funds are SAFU: 1/*All users have ZERO losses*. Last night there was a widely reported attack that took place against our protocol. From the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other.

9:04 PM ∙ Feb 15, 2020

---

Here’s what happened: 

1. Originated a $2.7M flash loan from dYdX 

2. Deposited 5,500 ETH into Compound, borrowing 112 wBTC 

3. Shorted wBTC on bZx 

4. Sold 112 wBTC to trigger short 

5. Paid back Compound loan

6. Attacker nets ~$353,000 

All of this occurred in one single transaction for a fee of less than $10. While the use cases for flash loans have been rather ambiguous within the DeFi community, the recent attack on bZx realized the potential of flash loans within complex arbitrage opportunities in a nascent, and rather illiquid asset class. 

A live look at the complexity of the first bZx hack. Graphic via Twitter

Building on the earlier sentiment of this not being a “hack”, a claim was submitted on Nexus Mutual - a decentralized insurance platform - asking to be compensated for the loss.

Seeing as there appeared to be no “technical breach”, Nexus token holders collectively agreed that “No” the claim should not be compensated.

Since then, new information showed that bZx smart contracts were actually exploited - leading to those with covers being compensated to the tune of ~$87,000.

In response to the attack, bZx shared a post-mortem describing the event in detail here.

Second Hack

While one attack on bZx was enough to induce a riot within the DeFi community, once word got out on how it was done, it should come as no surprise that another exploit occurred on the lending platform less than 48 hours after.

Here’s a look at the second exploit: 

1. Attacker took out a flash loan of 7,500 ETH

2. Traded 3,517 ETH on Synthetix for $940k sUSD 

3. Used 900 ETH to purchase sUSD on Kyber, pushing up the price of sUSD to over $2 on Uniswap

4. Borrow 6,769 ETH on bZx with sUSD as collateral (the new price allows them to take out significantly more than intended) 

5. Use the borrowed ETH (6,796) and the remaining ETH balance (3,083) to replay the 7,500 ETH flash loan

6. Attacker nets ~$650,000 

The aftermath of the attack resulted in the bZx ETH pool to lose roughly $1.8M while the sUSD pool gained $1.1M, leaving $640,000 to the attacker. 

Visualizing bZx Exploit #2. Source via Bloxy

bZx @bzxHQ

1/ WHAT WE KNOW SO FAR: There was a second attack. This attack was completely different from the first. This time it was an oracle manipulation attack, a modified version of the original exploit we worked closely with @samczsun to fix:

samczsun.comTaking undercollateralized loans for fun and for profitPrice manipulation, now with 100% more blockchain

1:29 PM ∙ Feb 18, 2020

---

Why This is Good for DeFi 

These two exploits show that flash loans may be a problem for DeFi in the coming future. The ability to easily take out a loan of any amount, so long as you pay it back within the same transaction, allows users to capitalize on complex arbitrage and governance exploits. 

The above bZx exploit is a prime example of the potential for flash loans within arbitrage opportunities. In terms of governance, it is clear that flash loans could be used to manipulate governance protocols like MakerDAO. By leveraging a flash loan for MKR, users could vote on any proposal with a disproportionate amount of MKR and sway the proposal for their own benefit (rather than the protocol at large). 

While this may seem like the end-all be-all for decentralized finance, it actually battle-hardens these protocols to become antifragile. Ultimately, this short-term pitfall is necessary for the long-term growth of DeFi.

Flash loans will force projects to create more defensible mechanisms against these types of attacks. While higher liquidity is the obvious solution for arbitrage exploits, it will be interesting to see how other protocol teams create defenses against these in the future. Uniswap and ChainLink are both aiming to create more robust oracle solutions, effectively mitigating loopholes by using different price oracles to ensure there is no one point of failure by manipulation.

vitalik.eth @VitalikButerin

The planned uniswap v2 price oracle design is resistant to the recent flash loan attacks.

Hayden Adams 🦄 @haydenzadams

Uniswap V2 includes greatly improved price oracle functionality. Stay tuned for how we achieved this. In the mean time, for a mathematical background and theory on why Uniswap can be a good oracle, this new article by @gauntletnetwork is mandatory reading https://t.co/OR2gzrWbWu

4:52 PM ∙ Feb 18, 2020

---

For governance manipulation, it becomes fairly easy to prevent flash loan manipulation by requiring all tokenized votes to be locked for an extended period of time (> 1 block). MakerDAO has already begun initiatives to implement this type of mechanism in order to successfully prevent the protocol from these sorts of attacks. 

Looking Ahead

Despite the recent attacks, it’s worth noting that the community is rallying in spades, effectively searching for different ways to prevent similar exploits in the future.

Sergey Nazarov @SergeyNazarov

1/ We're in the process of helping @bzxHQ solve this pricing data manipulation issue for the long-term by using our decentralized oracle network's price reference data; feeds.chain.link providing both a decentralized oracle mechanism and multiple quality data aggregators.

Emin Gün Sirer @el33th4xor

Given exchange depth, the amounts available for flash loans, and use of DEX price oracles, these results are inevitable.

8:02 PM ∙ Feb 18, 2020

---

If one thing is for certain, the recent economic weapons have pushed DeFi protocols to further collaborate - ultimately making composability even stronger in the future.

Over the next few weeks, we’ll be keeping a close eye for any more updates.

Until then, stay safe and don’t get flash f*cked.