DeFi exploits cannot be blocked on flash loans, industry leaders say

[ad_2][ad_1]

Nine months ago, in a Denver convention center, a booth was empty.

Littered with symbolic stickers, the table was supposed to contain the physical representatives of the decentralized finance (DeFi) bZx protocol. However, it remained empty, as the team struggled to make sense of the digital forces that distort their young project.

bZx, as they would find out, was the 2020 “patient zero” flash loan.

img_4486

AFTER THE HACK: The bZx stand with DeFi protocol is empty at ETHDenver.
(CoinDesk Archives)

Flash loans remain the theme of all these recent attacks. These native DeFi tools allow an experienced investor to take out unsecured loans and build up leverage behind a position. For example, the Origin protocol attacker on Monday withdrew a loan of 70,000 ETH from the decentralized derivatives platform dYdX. It allowed the attacker to increase the amount of loot drawn from the project.

However, while they may be the string that connects these exploits, flash loans are not the cause in and of themselves, industry leaders told CoinDesk.

Oracle manipulation and flash loans

It may not be fair to refer to recent DeFi exploits as “flash loan attacks,” Chainlink co-founder Sergery Nazarov told CoinDesk in an email.

Nazarov said the flash loans to the center are just lump sums of capital thrown into successful business positions. The real problem lies in poorly constructed DeFi projects.

“While many are trying to frame this trend as the result of flash loans, most of these exploits could have been committed by any well-capitalized actor. All a flash loan does is temporarily turn anyone into a well-capitalized actor, ”Nazarov said.

Read more: Everything you ever wanted to know about the “Flash Loan” DeFi attack

DeFi’s projects are smart contracts distributed on the Ethereum blockchain. They require external information, especially pricing data, to perform the actions built into each contract.

That pricing information is prone to distortion simply because of the way the Ethereum blockchain packages transactions, which is every 15 seconds. Prices can change anyway in 15 seconds, which forces smart contracts to act on stale data.

Additionally, many DeFi applications rely on internal pricing oracles created from token reserves, non-decentralized pricing feeds, or other ad hoc solutions. For example, Harvest Finance has leaned on another DeFi project, Curve Finance, to price its token pools.

In cases like Harvest Finance, interoperability has become a negative dependency. A $ 50 million flash loan temporarily deflected asset prices from market value, creating an arbitrage opportunity. A project with a more robust pricing system would not have fallen prey to the exploit, according to the theory.

Are audits sufficient?

Another point that developers are addressing is that code audits alone don’t make a DeFi project secure.

Speaking to CoinDesk via Whatsapp, Quantstamp CEO Richard Ma said developers need to understand the markets themselves, perhaps more than the code they distribute on the Ethereum blockchain. Quantstamp has audited or advised on several major DeFi projects such as Curve Finance, MakerDAO and SushiSwap, among others.

“Understanding the products and business logic is much more time-consuming and important than just a code review,” said Ma.

Indeed, Akropolis has been controlled twice by two separate companies, but still suffered a re-entry attack.

This type of attack occurs when the backdoor of a smart contract is left ajar. The contract status, which records the number of contract tokens, among other things, doesn’t update quickly enough when the tokens are removed, allowing the attacker to move more coins than he or she goes. It’s not unlike a lazy bank teller who keeps forking out funds from an overdraft account.

Read more: Harvest Finance: $ 24 million attacks triggers $ 570 million “bank” in latest DeFi exploit

Combining audit redundancies with insurance is a step at least one major cryptocurrency investment firm is now urging.

“We are recommending that our portfolio companies get more audits from more than one supplier,” Paul Veradittakit, partner of venture capital firm Pantera, said in an email. “We also believe that projects and investors may want to buy insurance to protect themselves.”

It’s also noteworthy that none of the major DeFi projects have suffered oracular attacks spurred by flash loans, dYdX founder Antonio Juliano said in a message to CoinDesk. Many flash loans used in the attacks originated on its platform, which offers the product without fees.

He said that “there is a great divide between well-designed projects and others”; a division that is fleshed out in real time by flash loans.

“Likewise you wouldn’t blame Ethereum for an implementation detail of the chain used for an attack, the way flash loans are used in exploits is the fault of the developers building insecure applications, not the flash loans themselves,” Juliano said.

[ad_2]Source link