Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18

Published at: Nov. 19, 2020

If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later).

We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million.

In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance.

As always, the most common comments on the subject are “were they audited?” and “flash loans are bad.” Now, in terms of auditing, I was able to find reports for all of them except Cheese Bank (maybe it was reviewed, it’s just not immediately obvious).

I feel like a broken record by now, but people really need to understand that audits are always going to be limited in their effectiveness. Security companies just don’t have enough eyes and enough time to find everything.

If you want to point at something, I’d focus on the fact that none of these except for Akropolis had an immediately discoverable bug bounty. Even then, given how easy it is to steal money in crypto, these projects should be far more competitive with their payments than any other sector. Audits, which apparently run for more than $200,000 if you want premium quality, don’t seem like the most efficient use of money.

Obviously, bounties won’t suddenly turn blackhat hackers into upstanding citizens, but it may change the life of some poor kid who does this for a living and decides to scan your protocol for his lottery ticket. They’d be more than happy to receive $100,000 and have a clean conscience while saving you millions of dollars down the line.

Flash loans are tough, but fair

As for flash loans, I think they’re the greatest tool for increasing DeFi market efficiency that we have at the moment. Their intended usage is to arbitrage various assets across protocols — buy low on Uniswap, sell high on SushiSwap, all without committing your own capital. They’re also useful to quickly unwind your positions on lending protocols, and I’m sure there are other uses. In short, they’re pretty great.

And yes, flash loans do make hacks simpler. But note that anything that can be done with a flash loan can also be done with a large pile of cash. Hackers may not be that wealthy in general, but it’s actually better for the ecosystem to weed out weak implementations and protocols before it grows to accommodate a billion-dollar hack.

It’s definitely painful to be on the receiving end of a hack, but it’s also a known risk that should be managed. Sometimes it may just be bad luck, but that explanation should only be used when every possible mitigation strategy has been exhausted. I hope each protocol that gets hacked takes steps to ensure it never happens again. Otherwise, the hacks will continue until security improves, or until the protocol is dead.

DEXs fight over the crumbs left by Uniswap

Uniswap, at one point the largest protocol by total value locked with $3 billion, predictably lost more than half of it just as soon as it stopped printing UNI rewards for its Ether pools.

Most of that made its way to SushiSwap, which went from about $200 million to $1 billion in TVL. Cheekily, the project shifted its yield-farming incentives to the same pools used by Uniswap just one day before expiry.

Then Bancor stepped up by launching its own liquidity mining program, followed by Mooniswap today. The latter two seem to be having modest results, adding maybe $10 million each so far.

So we’re definitely seeing some pretty aggressive competition in that space, powered by a lot of token printing.

But my thesis from last week appears to be mostly correct — Uniswap doesn’t care. $1.3 billion with absolutely no subsidies is a pretty amazing result. It’s more than six times higher than before this whole yield-farming season started. Volume is also remaining stable.

Uniswap’s fortunes could, of course, change in the future as the market continues readjusting. Either way, I think this is both a good and bad sign for the future. On one hand, we’re seeing pretty clear long-term stickiness after yield farming — proving that it’s at least somewhat successful at generating organic interest.

On the other hand, we’re seeing that yield farming is somewhat successful, so it may remain a long-term staple of the DeFi world. The concept does have merits, but this summer showed that people often don’t understand what they’re getting into.

As a heads-up, any time a DeFi protocol’s token can be staked to receive more of the same tokens, that’s a very clear Ponzi-like dynamic. It’s a dangerous game to play, just ask people who bought SUSHI at $11. You could argue that Ethereum 2.0 staking is the same, apparently disproving my thesis. The difference is that the much saner yields avoid the huge boom-and-bust cycles typical of many DeFi “fair launches.”

Maker liquidators are ‘slacking off’

Another issue pointed out this week was the fact that Maker’s keepers — the agents responsible for liquidating bad debt — turned out to be completely avoiding small, undercollateralized loans. It appears that opening a vault for $100 is just so uninteresting to them that they will ignore it even if it falls below the safety threshold that would let them liquidate it.

It’s fairly easy to see why. Liquidators would get a discount of maybe 5%, so their theoretical profit is just $5, easily eaten by gas fees.

Opening thousands of small vaults is not that expensive and could result in a dangerous vulnerability for Maker. Rational keepers would never liquidate this debt, especially if it were left to rot and decisively fall below the 100% collateralization threshold.

That would create unbacked Dai in a manner very similar to Black Thursday. I’m sure that in practice, some stakeholders would act altruistically to liquidate debt at a loss before it’s too late. Plus, the system is designed to be bailed out in these situations, as we’ve seen with the MKR auctions after the incident earlier in the year.

But this and the flash-loan vulnerability from a few weeks earlier signal that there is some trouble in paradise. For example, one of the reasons why the community refused to compensate victims of Black Thursday is that it was seen as a failure of the market, not the auction system.

That makes sense, but this latest discovery jolted the community to patch up the issue while waiting for a slight redesign of the auction system. That betrays a certain cognitive dissonance — they say the system “worked fine” earlier, and yet now it needs to be changed up due to a similar market failure.

Personally, I find Maker governance fascinating and unique among its peers. They’ve had to deal with some very tough choices this year that go well beyond tweaking arbitrary collateral parameters.

I don’t really agree with some of those choices. I definitely feel that the decision not to refund Black Thursday victims was short-sighted, though perhaps it was the product of mutual distrust given the class-action lawsuit hanging over their head.

But that is human nature, and I expect that DeFi governance will eventually go through many of the lessons that history has served us. Some people have high hopes for DeFi governance to reshape societies just because it’s “decentralized.” I hope that will be the case, but so far I’m just seeing your run-of-the-mill politics, complete with vested interests, propaganda and deflection.

Tags
Related Posts
The importance of decentralized oracles: Interview with Sergey Nazarov
Chainlink co-founder Sergey Nazarov believes that increasing the decentralization and scalability of oracle technologies are key to ensure trust in the DeFi ecosystem. Oracles play a key role in the correct functioning of DeFI protocols by connecting them to real-world data. However, the trustworthiness of oracles becomes compromised in instances where they rely on a single data source to retrieve information. For instance, according to Nazarov, excessively centralized oracles enabled five recent flash loan attacks, which resulted in DeFi protocols losing around $40 million. Flash loans, a form of loan that does not require any collateral, can be used to …
Decentralization / Dec. 19, 2020
Yearn Finance’s founder says he ‘doesn’t build for speculators’
The founder of Yearn Finance, Andre Cronje, has seen a fair share of criticism lately as he deployed some smart contracts that ended up losing users’ money. Cronje defended himself in a blog post and explained why he believes he shouldn’t be held responsible for those who “ape in” his testing contracts. Cronje will often place large disclaimers urging people to treat them with caution and not just go in because he built it. Little can be done to prevent this, given the permissionless nature of these products. Nevertheless, Cronje was sometimes criticized for not deploying contracts on testnets, where …
Technology / Oct. 15, 2020
Some loans on Maker are never liquidated, prompting debt auction overhaul
The Maker community is looking for solutions after an analysis by B.Protocol suggests that it is possible to exploit the liquidation system to create under-collateralized debt. The researchers created small vaults for $128, just above Maker’s “dust” parameter that defines the minimum size for new vaults. As Maker’s oracles updated to new prices that made these vaults eligible for liquidation, B.Protocol found that the debt remained unclaimed for several hours. While the researchers later closed the bad debt loans on their own, the mechanism could be abused to create a Dai position that would never be liquidated. Splitting a $1 …
Technology / Nov. 16, 2020
Chicago DeFi Alliance Launches to Save Decentralized Finance
Amid the apparent ongoing collapse in decentralized finance (DeFi) lending, a group of major trading and cryptocurrency companies in the United States are launching an alliance to support the sector. Introduced on April 7, the Chicago DeFi Alliance (CDA) aims to provide DeFi-focused startups and entrepreneurs with support and guidance in complying with trading regulations and other applicable requirements. Chicago DeFi Alliance to share its expertise to boost DeFi liquidity and markets According to a blog post by crypto fund Volt Capital, a founding member the CDA initiative, the alliance also includes major brokerage firm TD Ameritrade, crypto investment firms …
Decentralization / April 8, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022