Down the Rabbit Hole: DeFi Attacks

In this session of down the rabbit hole I asked myself a question that you didn't ask on the livestream. And I then answer it. Give us an example of a couple of types of attacks and problems that can happen in DeFi or that have happened recently. So I'm going to give you three different examples of decentralized finance where things went horribly wrong And then sometimes got fixed and sometimes didn't the first one of course is the one that started it all. The DAO. The DAO was introduced shortly after Ethereum's birth as a mechanism for a crowd based venture capital fund where people could vote proposals that would then get funded. The DAO, in in its very beginning, accumulated a very large amount of funds. Then a bug that was undiscovered in the DAO code, specifically a re-entrancy bug that allowed someone to call … the withdrawal function in the contract from within the withdrawal function of the contract. [That bug] allowed someone to drain almost three hundred million dollars (if I remember correctly) from the DAO or some ridiculous amount like that into their own contract.

This ultimately led to a hard fork "fix" of Ethereum and also the split of Ethereum into Ethereum and Ethereum Classic. And created a whole debate about moral hazard and bailouts and the immutability of Ethereum. And left a bit of a wound in Ethereum that took more than two years to heal. It was Ethereum's Mt. Gox moment, just different in some ways. A second one that also happened, more recently, was a problem within the DAI stable coin when it faced its ultimate challenge, the collapse of Ethereum exchange rate the ether exchange rate by more than 55% in a single day also known as Black Thursday. You probably remember that it was in the beginning of the pandemic and just after the stock market had crashed and Ether together with every other cryptocurrency dumped 55%. Because DAI depends on over collateralization where you must maintain 150% of collateral in order to back your DAI as an absolute minimum, even contracts that with 300% collateralize (which means for every three dollars they had funded they only took out one as DAI) even those ended up under collateralized.

Now in normal circumstances the immediate response, that would be through automated systems as well as manual interventions, people pump DAI back into the system in order to re-collateralize their loans or they put ETH as additional collateral in order to refund and re-collateralize their loans. However of course during the time that Ether dropped 55% gas price shot through the roof it was very difficult to get transactions through and that was compounded by another bug in the auction system that allowed some people to basically snap up some of these loans for zero and liquidate them. And that was a disaster. In the end, those loans as far as I know were re-collateralized through a fund raiser that was done by MakerDAO by asking the holders of the Maker token to put more funds into the system and the damage was only about five million dollars and most of the people affected I think were made good, made whole. Another example of a cascade failure of multiple problems, all occurring at the same time and, of course, it was a bit of a Black Swan event because a 55% drop in a single day had not been seen until that moment.

Finally the third one, which is even more interesting is the ingenious use of flash loans in order to exploit a weakness in the system. Here a flash loan as we said before, is a loan where you take money out in a transaction, that transaction as it executes creates a cascade of contract calls and as long as the last event from the transaction refunds the flash loan, you are allowed to take that loan.

By taking a flash loan of more than a million dollars an attacker was able to create a cascade of contract calls effectively using DeFi's composability to create a brilliant scheme. In this scheme… a loan from the flash loan was split into Wrapped Bitcoin (WBTC) and Ether and then was used to take a short position in a decentralized exchange against Wrapped Bitcoin followed by a dump of that Wrapped Bitcoin on the decentralized exchange followed by a liquidation of that short in order to gain the difference and a repayment of the flash loan all in a single transaction and I believe just over two million dollars was exploited using this trick.

So this is an example of unintended consequences when, just like the good guys can do composability, well, so can attackers and an unintended consequence of weaknesses in futures markets and flash loans and various other components all used together to execute an attack If you enjoyed this video please subscribe like and share All my work is shared for free. So if you want to support it join me on

You May Also Like