As an arbitrage tool, flash loans can be used to achieve high arbitrage among various DeFi protocols at very low or even zero cost, and even use combinable vulnerabilities to hack to steal huge amounts of funds. Since last year, the successive occurrences of lightning attacks have proved its feasibility. It can be said that lightning loan attacks are like a time bomb and have become a huge security risk for DeFi.
However, a recent governance vote in the MakerDAO community made us realize that in addition to being used for hacking to cause direct economic losses to users, lightning loans can also be used to achieve malicious governance manipulation, that is, through lightning loans “out of thin air” Obtaining most of the votes, changing the governance rules at almost zero cost to benefit oneself, thus causing indirect economic losses to users.
Flash loans and hacking
“Flash loan”, a new species born in the DeFi world, does not require any collateral, as long as the loan and repayment are completed in one block. This will open up the brains of smart developers and develop new DeFi applications. However, while bringing us surprises, Lightning Loan is slowly opening a DeFi Pandora’s Box. Since last year, there have been many lightning loan hacking incidents, and a large amount of funds in the DeFi protocol have been stolen.
, The well-known DeFi platform Balancer’s liquidity pool has also been attacked by hackers in lightning loan attacks, losing 500,000 US dollars.
Just three days ago, on October 26, hackers once again used Flashloan arbitrage to successfully steal $24 million from the DeFi protocol.
Flash loans and governance attacks
The existence of lightning loan attacks is disturbing, especially in the early stage of encryption in a state of chaos. The DeFi protocol is blessed with composability. Users in DeFi are like exploring in the dark forest of danger, walking on thin ice, in high returns and high returns Under the surface, lightning loan attacks hide a murderous security risk.
However, this is not all. Recently, flash loans have been discovered to have a new “useful place”, which can be used to manipulate votes to conduct decentralized community governance attacks.
Earlier this week, MakerDAO passed a governance vote, and it was later discovered that lightning loan manipulation was used to vote in the governance process. Although subsequent investigations revealed that the incident was not malicious, the incident made the MakerDAO community aware that lightning loans have hidden operational risks in the governance structure and are operability.
Specifically, on October 26th, the Maker Foundation smart contract development team detected a voting violation that occurred in the MakerDAO governance proposal. The proposal was initiated by the DeFi liquidity protocol B Protocol development team. The main goal is to propose the B Protocol Included in the whitelist of the MakerDAO oracle machine to gain access to the MakerDAO price oracle machine . This test found that the proposal used the lightning loan function to manipulate votes to pass the proposal.
Post-mortem monitoring found that during the voting process of the proposal, multiple steps of manipulation were created and executed. Specifically, WETH was first borrowed from dYdX through flash loans, and then used as collateral assets to borrow from the lending platform AAVE MKR tokens worth 7 million U.S. dollars, and about 13,000 MKR tokens lent later are used to vote on the proposal, and they will be returned after voting.
The specific process of this voting manipulation
The post pointed out that after the voting violation was confirmed, the Maker Foundation contacted the BProtocol team. The BProtocol team has also maintained good and transparent communication with the Maker Foundation on this matter, and is willing to be responsible for this lightning loan.
It is true that the occurrence of this governance manipulation incident did not cause huge losses, but this governance incident is still of great significance. It reminds us that lightning loans can not only cause direct economic losses, but also indirect economic losses through governance manipulation. And has operational space, and the latter is obviously more secretive.
This means that DeFi users, especially community managers, must be aware of the potential risks of flash loans, that is, it may have an impact on the governance system and may eventually cause economic losses. For the Maker community, there is an urgent need to vote for the community. The liquidity of the token maker market is actively monitored.
The Maker community forum, has been how to prevent against future credit management lightning attack a series of discussions, such as the delay increases than GSM suspended to 72 hours, so that MKR holders have more time to respond to attacks on governance, participation of disabled governance Some features of the author.
As DeFi gradually matures, composability will increase the risk of the entire system exponentially. While each protocol brings opportunities through combination, it also faces compatibility risks. The DeFi ecological security problem in the early days of the wild still has a long way to go.
