Share articles to

Academy Industry Analysis Article
DeFi DeFi Digest OKX Insights Security Yield-farming

ValueDeFi flash-loan attack exposes critical lack of due diligence in DeFi

2020.11.22 Matthew Lam

OKX Insights’ DeFi Digest is a weekly examination of the decentralized finance industry.

DeFi market snapshot

The decentralized finance market maintained its bullish momentum this week as the total value locked in DeFi products rose slightly from $13.65 billion to $13.80 billion. 

The decentralized lending market grew by 8% this week as the total borrowing volume reached $3.09 billion. Benefiting from the growth, Maker replaced Uniswap as the overall DeFi leader, with a 17% market dominance level. Compound, meanwhile, maintained its market dominance in the lending sphere, with a 55% share.

The weekly average trading volume of decentralized exchanges rose by 20% and reached $0.53 billion this week. While Uniswap maintained its trading volume dominance of 37%, its position as having the largest liquidity pool was replaced by its primary competitor, SushiSwap.

Weekly trading volume of DEXs grew by 20%. Source: DeFi Pulse and DeBank

Flash-loan attacks proving problematic for DeFi

Flash-loan attacks have become a headache for the DeFi community as yield aggregator ValueDeFi became the fifth victim in only three weeks. Following the $34 million loss from Harvest Finance, there have been flash-loan exploits of Akropolis, Origin Protocol and Cheese Bank, with a loss of $2 million, $7 million and $3.3 million, respectively.

ValueDeFi suffered from a $6 million flash-loan exploit on Nov. 14. According to Emiliano Bonassi, a self-described white-hat hacker, the flash-loan exploit on the ValueDeFi protocol was more complex than previous attacks, as two flash loans were used. Hackers took out a flash loan of 80,000 ETH — worth over $36 million — and a $116 million flash loan in DAI from Uniswap to exploit the ValueDeFi protocol, resulting in a net loss of $6 million. 

The detailed steps for the attack were illustrated on Bonassi’s Twitter account:

Hackers used two flash loans on Aave and Uniswap to exploit the ValueDeFi protocol. Source: Twitter / @emilianobonassi

According to an analysis conducted by audit firm PeckShield, the root cause of the ValueDeFi protocol exploit was a bug in its “MultiStablesVaults,” which uses Curve to measure the asset price. Because of the bug, hackers were able to use flash loans to manipulate the price of 3crv tokens. After that, they could burn the minted tokens from the pool to redeem a disproportionate share of 33.08 million 3crv tokens, instead of the normal 24.95 million. Hackers then redeemed the 3crv tokens for DAI, which led to a $7.4 million loss in DAI. (The hackers did, however, returne $2 million to the core developers of ValueDeFi.)

Remedial actions by ValueDeFi

The ValueDeFi team published a post-mortem analysis that outlines immediate remedies and medium-term plans to prevent such flash-loan attacks.

As a first step, deposits in the MultiStables vault have been halted. To calculate the exact amount of compensation, the team has taken snapshots of every user’s balance before the attack. The team also plans to release a second version of the MultiStables vault. Prior to the release, the second vault will be audited by public auditors and public Solidity developers. 

Compared to the first version of the vault, the second version uses Chainlink price feeds to enhance data quality, provide oracle security and supply accurate asset prices. The use of price oracles reduces exposure to temporary flash-loan-induced price distortions when the ValueDeFi protocol extracts data from Curve’s on-chain liquidity pools or other on-chain-generated price feeds. Additionally, since Chainlink price feeds are not updated simultaneously over multiple transactions, flash loans have no ability to manipulate the price — since they only exist within a single transaction.

The team will create a compensation fund based on developer funds, an insurance fund and a portion of the fees collected by the protocol. To compensate users for the lack of access to their capital, the team has created IOU tokens to represent the funds that have not been returned to users. The IOU tokens have built-in inflation that will automatically accrue 10% annual percentage yield every week. 

The team has also continued to seek a resolution with the hackers. For instance, it proposed a 1 million DAI distribution as a bounty and requested that hackers return the remaining funds to affected users. Hackers have not yet responded to this request.

Painful lessons

The recent flash-loan exploits on DeFi protocols once again exposed a lack of understanding in DeFi mechanics among some market participants. In the ValueDeFi protocol exploit, a self-described nurse and a self-described 19-year-old student lost $100,000 and $200,000, respectively. While hackers returned 50,000 DAI and 45,000 DAI to the nurse and student, respectively, they warned users about the risks associated with their lack of knowledge and caution.

Hackers in the ValueDeFi protocol exploit warned users about the risks of investing in yield farming protocols. Source: Etherscan

The aforementioned examples illustrate how some DeFi participants only consider the current returns from yield-farming protocols without acknowledging the risks inherent to smart contracts. Even the ValueDeFi team reiterated that there is always an element of risk involved when investing in DeFi protocols. 

With the deployment of new DeFi protocols becoming increasingly complex, the risks of investing into these protocols is likely to only increase.

OKX Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.

Follow OKX Insights on Twitter and Telegram.  

Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.