As an arbitrage tool, flash loans can be used to achieve high arbitrage among various DeFi protocols at very low or even zero cost, and even use combinable vulnerabilities to hack to steal huge amounts of funds. Since last year, the successive occurrences of lightning attacks have proved its feasibility. It can be said that lightning loan attacks are like a time bomb, which has become a huge security hazard for DeFi.
However, a recent governance vote in the MakerDAO community made us realize that in addition to being used for hacking to cause direct economic losses to users, lightning loans can also be used to achieve malicious governance manipulation, that is, through lightning loans “out of thin air.” Obtaining most of the votes, changing the governance rules at almost zero cost to benefit oneself, thus causing indirect economic losses to users.
Flash loans and hacking
“Flash loan”, a new species born in the DeFi world, does not require any collateral, as long as the loan and repayment are completed in one block. This will open up the brains of smart developers and develop new DeFi applications. However, while bringing us surprises, Lightning Loan is slowly opening a DeFi Pandora’s Box. Since last year, there have been many lightning loan hacking incidents, and a large amount of funds in the DeFi protocol have been stolen.
The DeFi loan agreement bZx has twice been arbitraged over one million US dollars due to flash loan attacks. The well-known DeFi platform Balancer liquidity pool has also been attacked by hackers in flash loan attacks and lost 500,000 US dollars.
And just three days ago, on October 26, hackers once again used Flashloan arbitrage to successfully steal $24 million from the DeFi protocol Harvest.Finance.
Flash loans and governance attacks
The existence of lightning loan attacks is disturbing, especially in the early stages of encryption in a state of chaos. DeFi protocol can be combined. Users in DeFi are like exploring in the dark forest of crisis, like walking on thin ice, in high returns and high returns. Under the surface, lightning loan attacks hide a murderous security risk.
However, this is not all. Recently, flash loans have been discovered to have a new “useful place”, which can be used to manipulate votes to conduct decentralized community governance attacks.
Earlier this week, MakerDAO passed a governance vote, and it was later discovered that lightning loan manipulation was used to vote in the governance process. Although the subsequent investigation revealed that the incident was not malicious, this incident made the MakerDAO community aware that lightning loans have hidden operational risks in the governance structure and are operability.
Specifically, on October 26, the Maker Foundation smart contract development team detected a voting violation that occurred in the MakerDAO governance proposal. The proposal was initiated by the DeFi liquidity protocol B Protocol development team. The main goal is to propose the B Protocol Included in the whitelist of the MakerDAO oracle machine to gain access to the MakerDAO price oracle machine. This test found that the proposal used the lightning loan function to manipulate votes to pass the proposal.
Post-mortem monitoring found that during the voting process of the proposal, multiple steps of manipulation were created and executed. Specifically, WETH was first borrowed from dYdX through lightning loans, and then used as collateral assets to lend from the lending platform AAVE MKR tokens worth 7 million U.S. dollars, and about 13,000 MKR tokens lent later are used to vote on the proposal, and they will be returned after voting.
The post pointed out that after the voting violation was confirmed, the Maker Foundation contacted the BProtocol team. The BProtocol team has also maintained good and transparent communication with the Maker Foundation on this matter, and is willing to be responsible for this lightning loan.
It is true that the occurrence of this governance manipulation incident did not cause huge losses, but this governance incident is still of great significance. It reminds us that lightning loans can not only cause direct economic losses, but also indirect economic losses through governance manipulation. And has operational space, and the latter is obviously more secretive.
This means that DeFi users, especially community managers, must be aware of the potential risks of flash loans, that is, it may have an impact on the governance system and may eventually cause economic losses. For the Maker community, there is an urgent need to vote for the community. The liquidity of the token maker market is actively monitored.
On the Maker community forum, a series of discussions have been held on how to prevent lightning loan governance attacks in the future, such as increasing the GSM suspension delay to 72 hours, giving MKR holders longer time to respond to governance attacks and disabling governance participants Some of the features.
As DeFi gradually matures, composability will increase the risk of the entire system exponentially. While each protocol brings opportunities through combination, it also faces compatibility risks. The DeFi ecological security problem in the early days of the wild still has a long way to go.
