OKEx - Leading Cryptocurrency Exchange Demo Trading
Copied

Share articles to

Academy Industry Analysis Article

Flash-loan attacks cause $34 million loss, but can they be stopped?

2020.11.01 Matthew Lam

OKEx Insights' DeFi Digest is a weekly examination of the decentralized finance industry.

The decentralized finance market saw a slight drop last week as the total value locked in DeFi products fell from $12.38 billion to $11.04 billion. 

Uniswap maintained its position as the market leader with a 24% market share of the total USD value locked. The decentralized exchange also had the largest liquidity pool and maintained its trading volume dominance of 65%. 

Driven by the $34 million hack of Harvest Finance, the trading volume of DEXs reached $3.4 billion on Oct. 26.

In the decentralized-lending sphere, Compound continued to lead, with a market share of 54%.

The total value locked in DeFi dropped while the weekly volume of DEXs exploded, following the Harvest Finance hack. Sources: DeFi Pulse and DeBank

Keep3r Network's KP3R token keeps DeFi hype alive

Despite the slight drop in total value locked, the hype in the DeFi market stayed alive following the launch of a new token by Andre Cronje. The yearn.finance founder announced KP3R, the token for his latest project — i.e., Keep3r Network, a decentralized marketplace for technical jobs. 

Similar to his previous projects, like eminence.finance, Cronje stressed that keep3r.network is still under its beta-testing stage. However, market participants were excited about Cronje's latest protocol, and KP3R skyrocketed from $25 to $350 on Uniswap within hours of launch. 

Harvest Finance's $34 million flash-loan attack

On the other side of the DeFi sphere, security vulnerabilities in DeFi protocols remain a concern after Harvest Finance lost $34 million.

Harvest Finance is a yield-farming platform that provides APY tracking, strategy development and gas cost monitoring services for farmers. The protocol lost $34 million from flash-loan attacks on Oct. 26, and its total value locked plunged by more than 60%.

What is a flash loan?

A flash loan is a decentralized finance innovation initiated by DeFi lending protocol Aave in January. The product allows users to borrow loans without putting up any collateral. A flash loan does not conduct any credit check on borrowers. 

Flash loans have gained popularity among arbitrageurs, as they may conduct the following steps to reap quick profits:

  1. Borrow loans.
  2. Use loans to buy tokens at a lower price on one DEX.
  3. Resell the same tokens at a higher price on another DEX.
  4. Repay the loan and interest.
  5. Keep the profit.

The aforementioned actions are conducted within the same on-chain transaction. To perform these transactions, the arbitrageur needs to code all the steps into the smart contract in advance. If the borrower cannot repay the loan on time, none of the transactions will be executed. (This is consistent with the atomic transactions on Ethereum — if one of the chained transactions failed, the chain is broken and the agreement coded in the smart contract is not fulfilled. Therefore, the transactions in the smart contract won't be executed.)

What happened to Harvest Finance?

While flash loans provide a new source of profit in the decentralized finance sphere, malicious actors attempt to use borrowed funds in order to manipulate the DeFi market — known as flash-loan attacks. 

In the case of Harvest Finance, hackers took a series of actions for arbitrage profits and manipulated the DeFi market:

  1. Hackers first sourced 50 million USDC and 18.3 million USDT flash loans from Uniswap.
  2. Hackers then converted 17.222 million USDT into USDC via Y pool, a liquidity pool in Curve Finance. The massive USDT-to-USDC conversion drove up the price of USDC and the amount of converted USDC became only 17.216 million.
  3. Hackers then deposited 49.97 million USDC into Harvest Finance's USDC vault and received 51.46 million fUSDC. Following the deposit, the price of USDC per share decreased by 1% (from 0.98 to 0.971). As the value change did not exceed the threshold of 3%, the transactions were executed and did not revert.
  4. Hackers converted all fUSDC to USDC with a profit of 619K USDC. Then, they repeated the same transaction several times to reap quick profits.
  5. The hackers transferred 13 million USDC and 11 million USDT to their addresses. Then, they transferred 1.76 million USDC and 718K USDT back to the Harvest Finance team.

According to the Harvest Finance team, the share prices of the USDC vault and the USDT vault dropped 13.8% and 13.7%, respectively — combining for a total loss of $34 million. The team stressed that the attackers exploited the effect of impermanent losses in the Y pool in Curve. The attackers then deposited funds into Harvest Finance's vault for a beneficial price and exited the vault at a regular share price to capture profits. To users' losses, the Harvest Finance team distributed the returned funds to victims and launched a $100K bounty for those who might help return the funds.

Meanwhile, Uniswap reached an all-time-high trading volume of $2.19 billion. Curve also surpassed $2 billion in trading volume. This is likely due to Harvest Finance's hackers using these automated market makers to transfer their funds.

The daily volume on Uniswap reached an all-time high following the Harvest Finance hack. Source: Uniswap

Can flash-loan attacks be stopped?

The Harvest Finance team identified a few possible solutions to preventing flash-loan attacks. The first one is to implement a commit-and-reveal mechanism for deposits. This mechanism would make flash-loan attacks infeasible by disabling deposits and withdrawals in the same transaction. For users, this means the deposits and withdrawals are recorded in different transactions — and they would pay slightly higher gas fees for that. The team also plans to set a lower threshold for stricter deposit arbitrage checking, which increases the economic costs to launch flash-loan attacks.

To enhance price discovery, some DeFi protocols may use external price oracles, such as Chainlink or Maker. However, if the price of assets in the DeFi protocol is different from the oracle, the asset vault can be exposed to arbitrage and flash-loan attacks. The Harvest Finance team believes blockchain oracles are not a solution for them due to the system design.


Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.


OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.

Follow OKEx Insights on Twitter and Telegram.  

Exclusive Reward for Newcomers

Earn free bitcoin worth $10 by signing up & placing your first order!

Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.

Recommended

industry-analysis-en