October 14th, 2020
Decentralized finance (DeFi) is the use of decentralized ledgers (like Ethereum) for financial transactions. A major part of the DeFi space is trading, where traders take advantage of fluctuations in market prices and exchange rates to make a profit.
Understanding the potential for profit in the DeFi space (and how some traders are “hacking” it) requires a bit of background knowledge:
Putting all of these different factors together, a DeFi “hacker” can make large guaranteed profits within a single transaction on the blockchain.
One example of the impact of DeFi hacking is the first hack against the bZx exchange. This hack enabled the attacker to make a profit of about $355,880 in Ether by the end of the transaction.
The image above shows the flow of events that enabled the attacker to make this profit:
In the end, the attacker has a net profit of 1,271 ETH (71 from step 5 and 1200 from step 6), worth about $355,880. The entire operation was made possible by a bug in the bZx code (since fixed) that failed to check for slippage before making the purchase (in 3a) from Kyberswap.
Whether or not the bZx attacker “hacked the system” isn’t really a question. The attacker took advantage of the flaw in the code to use bZx’s resources to dramatically change the wBTC/ETH exchange rate on Kyberswap. This allowed the attacker to cash out their wBTC at the expense of bZx.
However, the attacker accomplished this by doing exactly what they were supposed to do under the “rules” of DeFi. Tools like Furucombo are designed to help traders to build transactions like this to make a profit. The bZx hacker only “cheated” by taking advantage of a flaw in bZx Fulcrum’s code to have a much bigger payoff than expected.
This vulnerability could have been identified by an in-depth security audit and penetration test of bZx. But was the attacker wrong to take advantage of it and play the DeFi game “too well”?