Coinbase concerns rock crypto market, seized PlusToken coins worth billions
ValueDeFi flash-loan attack exposes critical lack of due diligence in DeFi
OKEx Insights' DeFi Digest is a weekly examination of the decentralized finance industry.
DeFi market snapshot
The decentralized finance market maintained its bullish momentum this week as the total value locked in DeFi products rose slightly from $13.65 billion to $13.80 billion.
The decentralized lending market grew by 8% this week as the total borrowing volume reached $3.09 billion. Benefiting from the growth, Maker replaced Uniswap as the overall DeFi leader, with a 17% market dominance level. Compound, meanwhile, maintained its market dominance in the lending sphere, with a 55% share.
The weekly average trading volume of decentralized exchanges rose by 20% and reached $0.53 billion this week. While Uniswap maintained its trading volume dominance of 37%, its position as having the largest liquidity pool was replaced by its primary competitor, SushiSwap.
Flash-loan attacks proving problematic for DeFi
Flash-loan attacks have become a headache for the DeFi community as yield aggregator ValueDeFi became the fifth victim in only three weeks. Following the $34 million loss from Harvest Finance, there have been flash-loan exploits of Akropolis, Origin Protocol and Cheese Bank, with a loss of $2 million, $7 million and $3.3 million, respectively.
ValueDeFi suffered from a $6 million flash-loan exploit on Nov. 14. According to Emiliano Bonassi, a self-described white-hat hacker, the flash-loan exploit on the ValueDeFi protocol was more complex than previous attacks, as two flash loans were used. Hackers took out a flash loan of 80,000 ETH — worth over $36 million — and a $116 million flash loan in DAI from Uniswap to exploit the ValueDeFi protocol, resulting in a net loss of $6 million.
The detailed steps for the attack were illustrated on Bonassi's Twitter account:
According to an analysis conducted by audit firm PeckShield, the root cause of the ValueDeFi protocol exploit was a bug in its "MultiStablesVaults," which uses Curve to measure the asset price. Because of the bug, hackers were able to use flash loans to manipulate the price of 3crv tokens. After that, they could burn the minted tokens from the pool to redeem a disproportionate share of 33.08 million 3crv tokens, instead of the normal 24.95 million. Hackers then redeemed the 3crv tokens for DAI, which led to a $7.4 million loss in DAI. (The hackers did, however, returne $2 million to the core developers of ValueDeFi.)
Remedial actions by ValueDeFi
The ValueDeFi team published a post-mortem analysis that outlines immediate remedies and medium-term plans to prevent such flash-loan attacks.
As a first step, deposits in the MultiStables vault have been halted. To calculate the exact amount of compensation, the team has taken snapshots of every user's balance before the attack. The team also plans to release a second version of the MultiStables vault. Prior to the release, the second vault will be audited by public auditors and public Solidity developers.
Compared to the first version of the vault, the second version uses Chainlink price feeds to enhance data quality, provide oracle security and supply accurate asset prices. The use of price oracles reduces exposure to temporary flash-loan-induced price distortions when the ValueDeFi protocol extracts data from Curve's on-chain liquidity pools or other on-chain-generated price feeds. Additionally, since Chainlink price feeds are not updated simultaneously over multiple transactions, flash loans have no ability to manipulate the price — since they only exist within a single transaction.
The team will create a compensation fund based on developer funds, an insurance fund and a portion of the fees collected by the protocol. To compensate users for the lack of access to their capital, the team has created IOU tokens to represent the funds that have not been returned to users. The IOU tokens have built-in inflation that will automatically accrue 10% annual percentage yield every week.
The team has also continued to seek a resolution with the hackers. For instance, it proposed a 1 million DAI distribution as a bounty and requested that hackers return the remaining funds to affected users. Hackers have not yet responded to this request.
The recent flash-loan exploits on DeFi protocols once again exposed a lack of understanding in DeFi mechanics among some market participants. In the ValueDeFi protocol exploit, a self-described nurse and a self-described 19-year-old student lost $100,000 and $200,000, respectively. While hackers returned 50,000 DAI and 45,000 DAI to the nurse and student, respectively, they warned users about the risks associated with their lack of knowledge and caution.
The aforementioned examples illustrate how some DeFi participants only consider the current returns from yield-farming protocols without acknowledging the risks inherent to smart contracts. Even the ValueDeFi team reiterated that there is always an element of risk involved when investing in DeFi protocols.
With the deployment of new DeFi protocols becoming increasingly complex, the risks of investing into these protocols is likely to only increase.
OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.