If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later).
We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million.
In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance.
As always, the most common comments on the subject are “were they audited?” and “flash loans are bad.” Now, in terms of auditing, I was able to find reports for all of them except Cheese Bank (maybe it was reviewed, it’s just not immediately obvious).
I feel like a broken record by now, but people really need to understand that audits are always going to be limited in their effectiveness. Security companies just don’t have enough eyes and enough time to find everything.
If you want to point at something, I’d focus on the fact that none of these except for Akropolis had an immediately discoverable bug bounty. Even then, given how easy it is to steal money in crypto, these projects should be far more competitive with their payments than any other sector. Audits, which apparently run for more than $200,000 if you want premium quality, don’t seem like the most efficient use of money.
Obviously, bounties won’t suddenly turn blackhat hackers into upstanding citizens, but it may change the life of some poor kid who does this for a living and decides to scan your protocol for his lottery ticket. They’d be more than happy to receive $100,000 and have a clean conscience while saving you millions of dollars down the line.
Flash loans are tough, but fair
As for flash loans, I think they’re the greatest tool for increasing DeFi market efficiency that we have at the moment. Their intended usage is to arbitrage various assets across protocols — buy low on Uniswap, sell high on SushiSwap, all without committing your own capital. They’re also useful to quickly unwind your positions on lending protocols, and I’m sure there are other uses. In short, they’re pretty great.
And yes, flash loans do make hacks simpler. But note that anything that can be done with a flash loan can also be done with a large pile of cash. Hackers may not be that wealthy in general, but it’s actually better for the ecosystem to weed out weak implementations and protocols before it grows to accommodate a billion-dollar hack.
It’s definitely painful to be on the receiving end of a hack, but it’s also a known risk that should be managed. Sometimes it may just be bad luck, but that explanation should only be used when every possible mitigation strategy has been exhausted. I hope each protocol that gets hacked takes steps to ensure it never happens again. Otherwise, the hacks will continue until security improves, or until the protocol is dead.
DEXs fight over the crumbs left by Uniswap
Uniswap, at one point the largest protocol by total value locked with $3 billion, predictably lost more than half of it just as soon as it stopped printing UNI rewards for its Ether pools.
Most of that made its way to SushiSwap, which went from about $200 million to $1 billion in TVL. Cheekily, the project shifted its yield-farming incentives to the same pools used by Uniswap just one day before expiry.
Then Bancor stepped up by launching its own liquidity mining program, followed by Mooniswap today. The latter two seem to be having modest results, adding maybe $10 million each so far.
So we’re definitely seeing some pretty aggressive competition in that space, powered by a lot of token printing.
But my thesis from last week appears to be mostly correct — Uniswap doesn’t care. $1.3 billion with absolutely no subsidies is a pretty amazing result. It’s more than six times higher than before this whole yield-farming season started. Volume is also remaining stable.
Uniswap’s fortunes could, of course, change in the future as the market continues readjusting. Either way, I think this is both a good and bad sign for the future. On one hand, we’re seeing pretty clear long-term stickiness after yield farming — proving that it’s at least somewhat successful at generating organic interest.
On the other hand, we’re seeing that yield farming is somewhat successful, so it may remain a long-term staple of the DeFi world. The concept does have merits, but this summer showed that people often don’t understand what they’re getting into.
As a heads-up, any time a DeFi protocol’s token can be staked to receive more of the same tokens, that’s a very clear Ponzi-like dynamic. It’s a dangerous game to play, just ask people who bought SUSHI at $11. You could argue that Ethereum 2.0 staking is the same, apparently disproving my thesis. The difference is that the much saner yields avoid the huge boom-and-bust cycles typical of many DeFi “fair launches.”
Maker liquidators are ‘slacking off’
Another issue pointed out this week was the fact that Maker’s keepers — the agents responsible for liquidating bad debt — turned out to be completely avoiding small, undercollateralized loans. It appears that opening a vault for $100 is just so uninteresting to them that they will ignore it even if it falls below the safety threshold that would let them liquidate it.
It’s fairly easy to see why. Liquidators would get a discount of maybe 5%, so their theoretical profit is just $5, easily eaten by gas fees.
Opening thousands of small vaults is not that expensive and could result in a dangerous vulnerability for Maker. Rational keepers would never liquidate this debt, especially if it were left to rot and decisively fall below the 100% collateralization threshold.
That would create unbacked Dai in a manner very similar to Black Thursday. I’m sure that in practice, some stakeholders would act altruistically to liquidate debt at a loss before it’s too late. Plus, the system is designed to be bailed out in these situations, as we’ve seen with the MKR auctions after the incident earlier in the year.
But this and the flash-loan vulnerability from a few weeks earlier signal that there is some trouble in paradise. For example, one of the reasons why the community refused to compensate victims of Black Thursday is that it was seen as a failure of the market, not the auction system.
That makes sense, but this latest discovery jolted the community to patch up the issue while waiting for a slight redesign of the auction system. That betrays a certain cognitive dissonance — they say the system “worked fine” earlier, and yet now it needs to be changed up due to a similar market failure.
Personally, I find Maker governance fascinating and unique among its peers. They’ve had to deal with some very tough choices this year that go well beyond tweaking arbitrary collateral parameters.
I don’t really agree with some of those choices. I definitely feel that the decision not to refund Black Thursday victims was short-sighted, though perhaps it was the product of mutual distrust given the class-action lawsuit hanging over their head.
But that is human nature, and I expect that DeFi governance will eventually go through many of the lessons that history has served us. Some people have high hopes for DeFi governance to reshape societies just because it’s “decentralized.” I hope that will be the case, but so far I’m just seeing your run-of-the-mill politics, complete with vested interests, propaganda and deflection.