Professional Documents
Culture Documents
FL Paper 2
FL Paper 2
FL Paper 2
← Older Newer →
TL;DR Flash loans are a recent blockchain smart contract construct that
enable the issuance of loans that are only valid within one transaction
and must be repaid by the end of that transaction. This concept has led to
a number of interesting attack possibilities, some of which have been
exploited recently (February 2020). We analyze those two existing DeFi
몭ash loan attack vectors with signi몭cant ROIs (beyond 500k%). We go on
to formulate 몭nding 몭ash loan-based attack parameters as an
optimization problem over the state of the underlying DeFi state and
Ethereum blockchain. Our results show how the two previously executed
attacks can be boosted to result in a pro몭t of 829.5k USD (instead of 350k
USD) and 1.1M USD (instead of 600k USD), respectively. For a light read
feel free to proceed, for all details, we would like to refer to our paper.
A 몭ash loan, taken from a liquidity pool, used, and repaid within one transaction.
Here, blockchain-based 몭ash loans come into play. A 몭ash loan is a loan
that is only valid within one blockchain transaction. Flash loans fail, if the
borrower does not repay its debt before the end of the transaction
borrowing the loan. That is, because a blockchain transaction can be
reverted during its execution, if the condition of a repayment is not
satis몭ed.
The assets for the 몭ash loan are taken from a publicly funded smart
contract pool. At the time of writing, some of the biggest 몭ash loan pools
are provided by Aave and dYdX, each exceeding 20M USD in value. Aave
charges an interest rate of 0.09%, while dYdX’s smart contract only
demands the repayment plus 1 Wei in fees.
To gauge 몭ash loan usage, we collected 몭ash loan data between the 8th of
January 2020 and the 26th of February 2020 with a full archive Ethereum
node gathering all event logs from the Aave smart contract. Note that
Aave only went live early January 2020. We observe a total of 105 loans,
and most 몭ash loans interact with lending/exchange DeFi systems (e.g.
Compound, Dai, MakerDAI, Uniswap). The 몭ash loan's transaction costs
(i.e. gas) appear signi몭cant (at times beyond 4M gas, compared to 21k gas
for regular Ether transfer). The full details can be found in Figure 5 in the
accompanying paper.
Arbitrage
Given 몭ash loans, a trader can perform arbitrage on di몭erent DEX,
without the need to hold a monetary position or being exposed to
volatility risks. The trader can simply open a loan, perform an arbitrage
trade and pay back the loan plus interests. One may argue that 몭ash
loans render arbitrage risk-free, the risks of smart contract vulnerabilities
however remain.
Arbitrage Example On the 18th Jan 2020, a 몭ash loan borrowed 3,137.41
DAI from Aave to make an arbitrage trade on the AMM DEX Uniswap. To
prepare the arbitrage, DAI is converted to 3137.41 SAI using MakerDAO's
migration contract. The arbitrage converts SAI for 18.16 ETH using
SAI/ETH Uniswap, and then immediately converts 18.16 ETH back to
3,148.39 DAI using DAI/ETH Uniswap. After the arbitrage, 3,148.38 DAI is
transferred back to Aave to pay the loan plus fees. This transaction costs
0.02 ETH of gas. Note that even though the transaction sender gains 3.29
DAI from the arbitrage, this particular transaction is not pro몭table.
Wash Trading
Another potential 몭ash loan use case is wash trading.
Wash trading example On March 2nd, 2020, a 몭ash loan of 0.01 ETH
borrowed from dYdX performed two back-and-forth trades (몭rst
converted 0.01 ETH to 122.1898 LOOM and then converted 122.1898
LOOM back to 0.0099 ETH) on the Uniswap ETH/LOOM market. The 24-
hour trading volume of the ETH/LOOM market increased by 25.8% (from
17.71 USD to 22.28 USD) as a result of the two trades.
We elaborate on two other 몭ash loan use cases, collateral swapping and
몭ash minting, in our paper.
The core of this trade involves a margin trade on a DEX (bZx) to increase
the price of WBTC/ETH on another DEX (Uniswap) and thus creates an
arbitrage opportunity. The trader then borrows WBTC using ETH as
collateral (on Compound), and then purchases ETH at a “cheaper” price on
the distorted (Uniswap) DEX market. To maximise the pro몭t, the
adversary then converts the “cheap” ETH to purchase WBTC at a non-
manipulated market price over a period of two days after the 몭ash loan.
The adversary then returns WBTC (to Compound) to redeem the ETH
collateral. The following 몭gure outlines how this trade mainly consists of
two parts. For simplicity, we omit the conversion between WETH (the
ERC20-tradable version of ETH) and ETH. The full details are outlined in
the paper.
Oracle Manipulation
In the following, we discuss the details of a second 몭ash loan trade, which
yields a pro몭t of 2,381.41 ETH (c. 650k USD) within a single transaction
executed on the 18th of February 2020, given a transaction fee of 118.79
USD. We again 몭nd that the chosen attack parameters were sub-optimal
and present attack parameters that would yield a pro몭t of 1.1M USD
instead. For this attack, the adversary involves three di몭erent exchanges
for the same sUSD/ETH market pair (the Kyber-Uniswap reserve, Kyber,
and Synthetix). Two of these exchanges (Kyber, Kyber-Uniswap) act as
price oracles for the lending platform (bZx) from which the adversary
borrows assets.
Price oracle: One of the goals of the DeFi ecosystem is to not rely on
trusted third parties. This premise holds both for asset custody as well as
additional information, such as asset pricing. One common method to
determine an asset price is hence to rely on the pricing information of an
on-chain DEX (e.g. Uniswap). One drawback of this approach, is the
danger of a DEX price manipulation.
For the Pump and Arbitrage attack, the optimizer provides parameters
that would yield a maximum revenue of 2,778.94 ETH, while in the original
attack the parameters only yield 1,171.70 ETH. Our Figure above
highlights the ideal amounts that should have been used in the attacks.
Note, due to the ignorance of trading fees and precision di몭erences,
there is a minor discrepancy between the original attack revenue
calculated with our model and the real revenue which is 1,193.69 ETH.
This is a 829.5k USD gain over the attack that took place.
Responsible disclosure
It is somewhat unclear how to perform responsible disclosure within DeFi,
given that the underlying vulnerability and victim are not always perfectly
clear and that there is a lack of security standards to apply. We reached
out to Aave, Kyber, and Uniswap to disclose the contents of this work.
Potential defenses
Here we discuss several potential defenses. However, we would be the
몭rst to admit that these are not foolproof and come with potential
downsides that would signi몭cantly hamper normal interactions.
Outlook
In the future, we anticipate DeFi protocols eventually starting to comply
with a higher standard of security testing, both within the protocol itself,
as well as part of integration testing into the DeFi ecosystem. We believe
that eventually, this may lead to some form of DeFi standards where it
comes to 몭nancial security, similar to what is imposed on banks and other
몭nancial institutions in traditional centralized (government-controlled)
몭nance.
← Older Newer →
Share on Twitter Share on Facebook
ALSO ON HACKING, DISTRIBUTED
3 Comments
1 Login
Join the discussion…
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
Sort by Best ⥅
Zarathustra • a year ago
Someone can teach me? XD
△ ▽ • Reply • Share ›
ev > Zarathustra • a year ago
contact me on needdonor4cmpny@protonmail.com
△ ▽ • Reply • Share ›
ali abdollahian > Zarathustra • a year ago
after recieving 2BNB
t.me/pikowele
△ ▽ • Reply • Share ›
Subscribe
Projects
AVA
Falcon
Teechan
Vaults
Bitcoin-NG
Recent Posts
Archive By Date
Attacking the DeFi Ecosystem with Flash Loans for Fun and Pro몭t
Libra: Succinct Zero-Knowledge Proofs with Optimal Prover
Computation
Liberating web data using DECO, a privacy-preserving oracle
protocol
Ostraka: Blockchain Scaling by Node Sharding
On Stablecoins and Beauty Pageants
Decentralize Your Secrets with CHURP
The Old Fee Market is Broken, Long Live the New Fee Market
One File for the Price of Three: Catching Cheating Servers in
Decentralized Storage Networks
On-Chain Vote Buying and the Rise of Dark DAOs
Choose-Your-Own-Security-Disclosure-Adventure
more...
Popular
Introducing Weaver
How to Disincentivize Large Bitcoin Mining Pools
How A Mining Monopoly Can Attack Bitcoin
What Did Not Happen At Mt. Gox
Bitcoin is Broken
Stack Ranking Is Not The Cause of Microsoft's Problems
How the Snowden Saga Will End
What's Actually Wrong with Yahoo's Purchase of Summly
Broken By Design: MongoDB Fault Tolerance
Introducing Virtual Notary
The Principled Documentation Manifesto
Introducing HyperDex Warp: ACID Transactions for NoSQL
Blog Tags
bitcoin / security / ethereum / hyperdex / release / nosql / sel몭sh-
mining / blocksize / dao / surveillance / privacy / mongo / broken /
weaver / nsa / meta / leveldb / blockchain / 51% / voting / smart
contracts / graph stores / decentralization / bitcoin-ng / vaults /
snowden / satoshi / philosophy / mt. gox / mining pools
Copyright © 2013-2020