Everything You Ever Wanted to Know About the DeFi ‘Flash Loan’ Attack
(Source: coindesk.com)

clicks | a month ago | comments: discuss | tags: cryptocurrency bitcoin ethereum

Article preview (bot search)

(Original link: coindesk.com)

Please consider using a different web browser for better experience. Please enable JavaScript in your browser for a better site experience. Everything You Ever Wanted to Know About the DeFi ‘Flash Loan’ Attack Feb 19, 2020 at 22:50 UTC Updated Feb 20, 2020 at 00:14 UTC As the name implies, flash loans are paid back quickly – in the same transaction in which they are taken out. (Image via NASA) Everything You Ever Wanted to Know About the DeFi ‘Flash Loan’ Attack There’s now a case study for how DeFi can go awry. bZx, the eighth-largest decentralized finance project according to DeFi Pulse , suffered two attacks last weekend following the introduction of “flash loans,” a new DeFi feature that limits a trader’s risk while improving the upside. Led by CEO Tom Bean, the bZx team was attending ETHDenver, a major ethereum conference in Colorado’s capital, on Friday when an unknown attacker drained about $350,000 worth of ether from Fulcrum, the startup’s lending platform. As a post-mortem from the firm describes , the attacker took advantage of pricing data and a bug within the bZx protocol’s code to secure the payout. bZx quickly shut down Fulcrum using a decidedly non-decentralized master key. Users and analysts saw an update hit GitHub , the code repository, that supposedly locked down endangered funds. Trading resumed over the weekend with the firm announcing its intention to contain the damage in a variety of ways, including liquidating collateral to pay a now-uncovered loan, building an insurance fund and spreading losses across platform users. Despite the shocking incident, traders who had deposited money on bZx will barely feel the effects of the attack. bZx’s code patch for the first attack, according to blockchain security firm Peckshield But that wasn’t the end of it. On Tuesday, Feb. 18, attackers hit bZx again, netting $633,000. While the amounts of money lost are still relatively small for the world of cryptocurrency, the attacks demonstrate DeFi’s move into the big leagues and the attention it will now receive from manipulators and thieves. If all this has been making your head spin, you’re in good company. Blockchain technology was complicated and abstract enough before people started building lending and trading services on top of it. For the perplexed, CoinDesk offers the following explainer of the bZx hack and its broader lessons. The new frontier As the name implies, DeFi, or decentralized finance, aspires to one day offer a democratized alternative to the legacy financial system, where individuals can obtain credit on a peer-to-peer basis without relying on banks or other middlemen. For now, though, it’s a playground for traders – and a rough one at that. Since the participants don’t know each other, DeFi lending is all based on collateral. Digital assets such as bitcoin and ether (the native cryptocurrency of the ethereum network) are notoriously volatile. To deal with this, DeFi lending applications such as MakerDAO let you borrow only 75 percent of your available collateral. If the price of your asset begins to drop against the market, the smart contract underpinning the DeFi application will sell your asset at a certain spot price in order to protect the parties who loaned you money against your asset. Think of a pawnbroker who will only advance you $225 for an electric guitar worth $300. The DeFi ecosystem also includes decentralized exchanges (DEX), where traders swap crypto assets without a central authority’s permission, their orders executed algorithmically on the ethereum blockchain. Trading on-chain limits the range of assets involved to those that run on ethereum (native currency ether and various flavors of ERC tokens). But it allows sophisticated users to do some interesting tricks, as we’ll see shortly. For a DeFi credit market to run properly, lenders must know the value of the collateral, so they need pricing information. This is data often gathered from crypto exchanges. In bZx’s case, the source was Kyber, a DEX. The trouble is, crypto exchanges’ price information is all over the place. Take as a loose example the spot-value differences between the top five exchanges by 24-hour volume for the most liquid digital asset, bitcoin: Sample of bitcoin prices between top five exchanges by 24-hour volume level. (Image via Messari) Spot prices are often very different from one another because no single venue owns a crypto trade pairing product, said Sergey Nazarov, CEO of Chainlink, a crypto price data firm. Unlike in the traditional markets, where trading of, say, Apple shares happens only on Nasdaq, in crypto, most anyone with the technical knowhow can spin up an exchange on their laptop – in fact, that’s how the first exchanges started. Aggregating prices across such a fragmented market is a Herculean task, Nazarov said. As in other financial markets, the wide discrepancy in prices also creates opportunities for traders to make money. Enter flash loans. Too much information? For ...