DeFi Suffers $360K Exploit. Is Decentralized Finance Really Decentralized?
Ethereum Price: $249.47
Ethereum Price (BTC): 0.025839BTC
ETH Locked in DeFi: 3.10M (2.82% of circulating supply)
Market Cap: $27.42B
ETH Network Dominance*: 70.24%
7 Day Candle**: $219.79 / $289.57 / $217.76 / $249.47
Updated 18th Feb 2020: details of the attack transaction have now been fully reported by the bZx team.
On Saturday 15th February an “attacker” exploited a complex system of DeFi primitives to take roughly $360,000 in profit in a single Ethereum transaction.
The transaction took advantage of the current lack of liquidity in decentralized exchanges by borrowing and dumping on the market before paying back the loan. The following steps were taken inside of a single Ethereum transaction:
- A flash loan from dYdX for 10,000 ETH was opened.
- 5500 ETH was sent to Compound to collateralize a loan of 112 wBTC.
- 1300 ETH was sent to the Fulcrum pToken sETHBTC5x, opening a 5x short position against the ETHBTC ratio.
- 5637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap reserve, causing large slippage.
- The attacker swapped the 112 wBTC borrowed from Compound to 6871 ETH on Uniswap, resulting in a profit.
- The flash loan of 10,000 ETH from dYdX was paid back from the proceeds.
The total cost for the above transaction came to 0.031 ETH ($8.71 at the time). Here’s what it looked like.
A full report is being put together by bZx (Fulcrum) which will likely be released this week.
Following the attack, 30,000 ETH was promptly deleveraged on the Maker protocol, rightly predicting a significant dip in the price of ETH just moments later, falling from $281.07 to $262.90. A sharp decline in the price of Bitcoin and other cryptocurrencies then followed.
While the attack resulted in a relatively small profit (when compared to The DAO or crypto exchange hacks that reach into the tens of millions), its impact can be seen in two opposing lights.
First, and the most obvious response to this attack, was that it highlights a major vulnerability in Ethereum and DeFi. This is also how many media outlets chose to report the story (both in and outside of crypto), with many referencing this as a DeFi “hack”.
The term “hack” brings with it a number of connotations. Anyone not looking closely will leave with a sense that DeFi and/or Ethereum must have an inherent vulnerability in its code. What really happened, however, was the manipulation and execution of a complex arbitrage opportunity, the type that would be inevitable in any market whose parameters allowed it.
Illegal? Maybe. A hack? No.
So instead of this incident being seen through the lens of a malicious hack or vulnerable/unsafe code, it can equally be seen as the software doing exactly as intended in what is currently an unregulated environment.
This form of arbitrage has no bearing on the security of say, deposits in the Dai Savings Rate or a loan on Compound.finance and it largely amounts to an expensive bug bounty that appears to have been paid for by users on the other side of the sETH/wBTC market – it is yet to be seen whether these users will be made whole and whether those who took out smart contract insurance with Nexus Mutual will be able to make a claim (although it’s looking unlikely).
This latest exploit is certainly no boon for the market, yet it does raise important questions about liquidity in this space and how such an exploit can be mitigated in the future.
How Decentralized is DeFi?
Shortly after the exploit took place, bZx (Fulcrum) took to Twitter to state that “borrowing and trading has been paused on the system”.
How can Ethereum-advocates talk about Decentralized Finance with a straight face when many of these protocols can be stopped, started or even destroyed by a handful of people?
Decentralization is a spectrum. A core principle of Ethereum’s base-layer is to be “maximally decentralized”; from the programming languages that power one of the many clients (ETH 2.0) through to the validation and verification of blocks. However, this maximally decentralized base-layer can have applications written on top that inherit this property in myriad ways, some of which opt for more centrality than others.
Ethereum opponents will use this as a key argument against the protocol. Founder of Litecoin and crypto “thought leader”, Charlie Lee, took to Twitter to criticize DeFi for just this reason.
While there is some truth to Charlie’s comments, it demonstrates a fundamental misunderstanding of the space and one that is shared among many of those outside of Ethereum. No Ethereum developer has ever claimed that these systems are fully decentralized yet there is – by all accounts – an active effort to further decentralized these networks over time. Augur’s removal of their “escape hatch” functionality in July 2018 is one such example.
Even government officials understand this problem better than Ethereum-skeptics such as Lee. The Block reported that “SEC commissioner Hester Peirce put a rule proposal on the table at the close of last week that would give growing decentralized networks a three year-grace period before their respective token is put to the test of U.S. securities law.”
This understanding is critical. Ethereum is not a panacea, it will face complex exploits more frequently than we would like, but the underlying technology remains secure. It is now up to developers to learn from these mistakes and mitigate them in the future while they work towards becoming maximally decentralized.
Speaking of Ethereum developers. Here’s a glimpse of the thousands of programmers, designers and entrepreneurs that attended ETH Denver last week.
* calculated as: (ETH Market Cap / Ethereum Network Market Cap)
** open / high / low / close