bZx, the eighth-largest decentralized finance project according to DeFi Pulse, suffered two attacks last weekend following the introduction of "Flash loans," a new DeFi feature that limits a trader's risk while improving the upside.
If the price of your asset begins to drop against the market, the smart contract underpinning the DeFi application will sell your asset at a certain spot price in order to protect the parties who loaned you money against your asset.
For a DeFi credit market to run properly, lenders must know the value of the collateral, so they need pricing information.
Flash loans are a further innovation on top of DeFi and ethereum, the blockchain most often associated with the concept of "Programmable money." The product was first released by DeFi protocol Aave this January and then by bZx on Feb. 10.In short, flash loans allow traders to take out uncollateralized loans to increase the payout of a singular trade.
As bZx's weekend woes showed, flash loans can be dangerous when combined with buggy code, janky price feeds or both.
In the first attack, for example, through a complex web of transactions, the attacker pumped and then dumped WBTC on a DEX called Uniswap; took profits in ether; repaid the flash loan - and stiffed bzX on another loan related to the WBTC pumping.
"The WBTC/ETH price was even pumped up to 109.8 when the normal market price was at only around 38. In other words, there is an intentional huge price slippage triggered for exploitation."
The second attack came down to bad price data, specifically from DeFi network Kyber, bZx co-founder Kyle Kistner told CoinDesk.
Lessons for DeFi.For smaller exchanges such as bZx, and DeFi in general, the pairing of innovative financial features like flash loans with systematic reliance on bad pricing data is exposing exchanges to new attacks, said Chainlink's Nazarov.
As Samczun wrote at the time, hypothesizing an exploit involving bZx, the ethereum token known as DAI and another decentralized exchanges called DDEX:."By relying on an on-chain decentralized price oracle without validating the rates returned, DDEX and bZx were susceptible to atomic price manipulation. This would have resulted in the loss of liquid ETH in the ETH/DAI market for DDEX, and loss of all liquid funds in bZx."
Everything You Ever Wanted to Know About the DeFi 'Flash Loan' Attack
Published on Feb 19, 2020
by Coindesk | Published on Coinage
Coinage
Mentioned in this article
Recent News
View All
Blockchain Bites: Bitcoin's Run, Uniswap's Hemorrhaging Value, Anchorage's Banking Bid
Bitcoin is nearing all-time highs in price and market cap last set three years ago.
Japan's megabanks to lead experiment with digital yen
We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol's loss of $7 million.
Number of new Bitcoin addresses spikes amid growing FOMO
Japan's three largest banks, as part of a group of 30 private sector actors, are set to collaborate on an experiment with a digital yen.
Not just Wall Street: Quant trader explains why Bitcoin price is going up
Sam Trabucco, a quantitative trader at Alameda Research, believes four general factors are pushing up the price of Bitcoin.