Everything You Ever Wanted to Know About the DeFi ‘Flash Loan’ Attack
There’s now a case study for how DeFi can go awry.
bZx, the eighth-largest decentralized finance project according to DeFi Pulse, suffered two attacks last weekend following the introduction of “flash loans,” a new DeFi feature that limits a trader’s risk while improving the upside.
Led by CEO Tom Bean, the bZx team was attending ETHDenver, a major ethereum conference in Colorado’s capital, on Friday when an unknown attacker drained about $350,000 worth of ether from Fulcrum, the startup’s lending platform. As a post-mortem from the firm describes, the attacker took advantage of pricing data and a bug within the bZx protocol’s code to secure the payout.
bZx quickly shut down Fulcrum using a decidedly non-decentralized master key. Users and analysts saw an update hit GitHub, the code repository, that supposedly locked down endangered funds.
Trading resumed over the weekend with the firm announcing its intention to contain the damage in a variety of ways, including liquidating collateral to pay a now-uncovered loan, building an insurance fund and spreading losses across platform users. Despite the shocking incident, traders who had deposited money on bZx will barely feel the effects of the attack.
But that wasn’t the end of it. On Tuesday, Feb. 18, attackers hit bZx again, netting $633,000.
While the amounts of money lost are still relatively small for the world of cryptocurrency, the attacks demonstrate DeFi’s move into the big leagues and the attention it will now receive from manipulators and thieves.
If all this has been making your head spin, you’re in good company. Blockchain technology was complicated and abstract enough before people started building lending and trading services on top of it.
For the perplexed, CoinDesk offers the following explainer of the bZx hack and its broader lessons.
Too much information? For a simpler explanation, listen to our Markets Daily podcast.
As the name implies, DeFi, or decentralized finance, aspires to one day offer a democratized alternative to the legacy financial system, where individuals can obtain credit on a peer-to-peer basis without relying on banks or other middlemen. For now, though, it’s a playground for traders – and a rough one at that.
Since the participants don’t know each other, DeFi lending is all based on collateral. Digital assets such as bitcoin and ether (the native cryptocurrency of the ethereum network) are notoriously volatile. To deal with this, DeFi lending applications such as MakerDAO let you borrow only 75 percent of your available collateral.
If the price of your asset begins to drop against the market, the smart contract underpinning the DeFi application will sell your asset at a certain spot price in order to protect the parties who loaned you money against your asset. Think of a pawnbroker who will only advance you $225 for an electric guitar worth $300.
The DeFi ecosystem also includes decentralized exchanges (DEX), where traders swap crypto assets without a central authority’s permission, their orders executed algorithmically on the ethereum blockchain.
Trading on-chain limits the range of assets involved to those that run on ethereum (native currency ether and various flavors of ERC tokens). But it allows sophisticated users to do some interesting tricks, as we’ll see shortly.
For a DeFi credit market to run properly, lenders must know the value of the collateral, so they need pricing information. This is data often gathered from crypto exchanges. In bZx’s case, the source was Kyber, a DEX.
The trouble is, crypto exchanges’ price information is all over the place.
Take as a loose example the spot-value differences between the top five exchanges by 24-hour volume for the most liquid digital asset, bitcoin:
Spot prices are often very different from one another because no single venue owns a crypto trade pairing product, said Sergey Nazarov, CEO of Chainlink, a crypto price data firm. Unlike in the traditional markets, where trading of, say, Apple shares happens only on Nasdaq, in crypto, most anyone with the technical knowhow can spin up an exchange on their laptop – in fact, that’s how the first exchanges started. Aggregating prices across such a fragmented market is a Herculean task, Nazarov said.
As in other financial markets, the wide discrepancy in prices also creates opportunities for traders to make money. Enter flash loans.
Flash loans are a further innovation on top of DeFi and ethereum, the blockchain most often associated with the concept of “programmable money.” The product was first released by DeFi protocol Aave this January and then by bZx on Feb. 10.
In short, flash loans allow traders to take out uncollateralized loans to increase the payout of a singular trade. Returning to the pawnshop analogy, you can borrow the cash without surrendering your guitar.
Why would any lender agree to this, especially in a market where participants are anonymous? Because as the name implies, flash loans are paid back quickly – in the same transaction in which they are taken out.
Who would borrow money just to pay it back immediately? Clever arbitrageurs, that’s who.
As we’ve seen, different crypto markets have different prices for a given digital asset. A user can turn a quick profit by borrowing funds; buying low on one market; selling high on the other market; repaying the loan; and pocketing the profit. Again, this is all done within the same on-chain transaction, since the markets are DEXs often running on ethereum. The arbitrageur just had to code all the steps into the same computer program, known as a smart contract.
To boot, flash loans are nearly risk-free, at least for the borrower. Since the ethereum network settles transactions atomically, meaning all transactions on a book execute or none do, a trader who cannot pay back his loan with his trade loses nothing.
Why? Because the transaction never occurs.
As Aave writes, all transactions, from the loan to the trade, take place at once on the network. If the network sees that a flash loan would not be instantly repaid, it will refuse every transaction associated with it, in effect canceling the whole thing. No harm, no foul.
If it goes through, however, everything is executed at the same time, resulting in a successful trade. The lender collects a small fee, the trader is richer. Everybody wins.
If only it were so simple.
As bZx’s weekend woes showed, flash loans can be dangerous when combined with buggy code, janky price feeds or both.
Instead of just buying low and selling high, the attacker or attackers used the borrowed funds to manipulate markets that were unusually vulnerable to it. In both attacks, bZx got the short end of the stick.
In the first attack, for example, through a complex web of transactions, the attacker pumped and then dumped WBTC (“wrapped bitcoin,” an ethereum token backed by actual bitcoin) on a DEX called Uniswap; took profits in ether; repaid the flash loan -- and stiffed bzX on another loan related to the WBTC pumping.
“The magic under the hood is the fact how the Uniswap WBTC/ETH was manipulated up to 61.4 for profit,” according to an analysis by blockchain security firm PeckShield. “The WBTC/ETH price was even pumped up to 109.8 when the normal market price was at only around 38. In other words, there is an intentional huge price slippage triggered for exploitation.”
In this attack, a poorly set up price feed certainly did not help, but the blame falls on the code, PeckShield CEO Jiang Xuxian told CoinDesk. Where a security wire should have been tripped as the price got out of whack, it failed to go off, Xuxian said.
The second attack came down to bad price data, specifically from DeFi network Kyber, bZx co-founder Kyle Kistner told CoinDesk. This time, the attacker focused on Synthetix USD (SUSD), a dollar-pegged stablecoin on the Synthetix Network.
The attacker borrowed 7,500 ether on bZx then pumped the value of SUSD on Kyber by swapping ether for SUSD. The purchase of so much SUSD caused the price to jump 2.5x the prevailing market rate of $1, writes PeckShield.
The attacker then took advantage of bZx’s dependency on Kyber for pricing data, putting up the SUSD as collateral for a large sum of ether; in fact, 2,000 more ether than the same amount of SUSD would have normally purchased on an open market.
After paying back the flash loan, the attacker reneged on paying back the uncollateralized SUSD/ETH loan, resulting in a tidy 2,378 ETH profit and bZx holding buttons.
For smaller exchanges such as bZx, and DeFi in general, the pairing of innovative financial features like flash loans with systematic reliance on bad pricing data is exposing exchanges to new attacks, said Chainlink’s Nazarov.
“Do not use [a] single specific exchange as a price feed,” Nazarov said, “If it becomes thinly traded, people look at and they say, ‘Okay, this is how I'm building a product against this market or against that piece of data.’”
In fact, the specific attack against bZx was described months before it occurred by white hat hacker Samczsun in a detailed blog post. As Samczun wrote at the time, hypothesizing an exploit involving bZx, the ethereum token known as DAI and another decentralized exchanges called DDEX:
“By relying on an on-chain decentralized price oracle without validating the rates returned, DDEX and bZx were susceptible to atomic price manipulation. This would have resulted in the loss of liquid ETH in the ETH/DAI market for DDEX, and loss of all liquid funds in bZx.”
Nazarov said that the issue is not specific to bZx, but many exchanges within DeFi which rely upon a few on-chain pricing APIs. His firm is now working with bZx on addressing the issue, he added.
Kistner acknowledged that the bZx team believed the oracle problems were considered fixed after Samczsun’s disclosures and even had the code independently audited. As Tuesday’s attack showed, the problems were not fixed.
“It's terrible to have consulted with security professionals but then be made a laughingstock when you follow their advice,” Kistner said.
As Nazarov pointed out, you can have all the auditors in the world greenlighting your code, but if it is based on poor data such as on-chain pricing, failure is inevitable.
“The technical risk here is not just about contract code. The code can be fantastic and audited as much as you want. But what’s going on is that you're creating new functionality which creates new surface areas which need to be secured,” Nazarov said.
Nazarov said the attacks, although unfortunate, are a lesson for DeFi in general. Pricing data is “a well-known architectural issue” that needs to be addressed, he said. “If you're building an app that's going to hold client funds, the fact that it's automated is great, but it doesn't mean that your work from a security point of view is done because the contract goes on ethereum.”
At bZx, the team has turned its attention toward securing the network. Kistner said trading will resume again shortly using Chainlink oracles for pricing, although no new users will be onboarded. For the future, Kistner said bZx will look at replicating the infrastructure of MakerDAO, the largest DeFi provider.
“When we are done revamping our internal processes, we want to set a standard for both security and transparency,” he said.