Earlier in February, the popular decentralized finance (DeFi) protocol built on the Ethereum blockchain, Yearn Finance, suffered the first DeFi hack of 2021. An estimated $11M in losses were accrued by users whose funds were deposited in the yDAI Yearn Finance vault including the attackers making away with a $2.8M profit. Essentially the perpetrators were able to create a synthetic arbitrage opportunity by posting flash loans as collateral to receive 145k ETH (~$342M). They then flooded the USDC/DAI balance in a Curve 3pool with the purchasing power from their ETH loan throwing the three-asset liquidity pool of USDC/DAI/USDT out of balance while pulling USDT out. While the value of the attacker’s assets in the liquidity pool diminished with each successive attack, the ballooning fees from the volatility in the liquidity pools netted them a massive profit in the end. The craziest part about this is I am not even sure if what the attackers did would be considered illegal as they just preyed on the Ethereum DeFi ecosystem’s weaknesses. Yes – this may be morally dubious, but most of the losses from the Yearn Finance vault went to the pockets of liquidity providers of the 3pool, who were not even involved in the scheme.
***Full overview of the attack available at https://thedefiant.io/yearn-loses-11m-in-2021s-first-defi-hack/
Now, this story on its face may be enough to scare any hardcore crypto and DeFi advocate, but it is important to understand the functions that enabled this specific DeFi hack on Ethereum and how this could be avoided on Flare Network.
Alright so let’s start off with what in the world a flash loan is, and the mechanisms that allow this kind of product to exist. Flash loans are a smart contract powered agreement allowing lenders to provide ridiculously high value loans to debtors with zero collateral due in part thanks to Ethereum’s block transaction system. Ethereum’s unique transaction system in which the number of steps in a single Ethereum transaction is only limited by the gas cost, but also must be completed atomically meaning all steps must succeed for the block transaction to be committed. Therefore, flash loans are made possible by the fact that they must be repaid in full plus the fee for borrowing within the same Ethereum block transaction. If this does not happen, then the flash loan is canceled along with any other steps taken during that time series. Smart contracts within Ethereum can essentially create chain transactions extending the number of steps in a single transaction block, which allowed the attackers to execute their play.
Before I start ranting about numerous dangers and the systemic risk this type of DeFi lending product enables, I want to touch on some of the benefits of flash loans. Their three main uses are materialized in the ability for anyone to execute on arbitrage opportunities, collateral swaps, and self-liquidation. Detailed above, we saw an example of how sophisticated traders can create synthetic arbitrage opportunities for themselves via flash loans, but this also allows the normal retail trader to capitalize on price discrepancies throughout DeFi markets. Additionally, flash loans can be used to swap out your collateral for another asset to avoid short term price volatility and unnecessary effort on the user’s part. Finally, and this is the most noble use case of flash loans, users can self-liquidate margin positions to reduce losses during massive price drops. So not all bad right? You can see how this last flash loan use case could have been helpful to many during the March 2020 cryptocurrency crash or from the SEC’s surprise drop of the Ripple case.
***Additional information on flash loans at https://finematics.com/flash-loans-explained/
Now that I have paid my homage to our well-intentioned flash loan creators, I can start off by definitively stating that flash loans will not be a problem for DeFi on the Flare Network. All of you self-proclaimed “Sparktans” can rest easy and let go of that fleeting thought in your mind telling you to throw me off a cliff just like the legendary 300 Spartans would have done. The Flare Network’s transaction speeds will just be too darn fast for this number of successive transactions to be effective within certain time constraints like on the Ethereum blockchain because Flare is a federated byzantine agreement blockchain with Avalanche consensus. DeFi hacks are becoming a bigger problem with the recent growth in the space and have accounted for around $100M in losses to DeFi protocols in the past year alone. In fact, flash loans are viewed as such a major risk to DeFi networks that multiple case studies have been conducted on how to enhance these types of attacks and the systemic risk they impose to many cryptoeconomic systems. To dive further into how DeFi on the Flare Network can thrive without this type of hinderance, it will be important for the Flare community made up of Spark (FLR) holders to vote on parameters that may not just be expedient for the individual. We as a community must account for the systemic risk our decisions can bring onto the network by analyzing the macro effects of our decisions to move the network forward in a safe and beneficial manner for all stakeholders. Remember it is better for a community system to be proactive in regards to future threats than reactive thanks to the greed of a few. Solution, no problem instead of problem, solution, if you will.
***Case studies on flash loans at Towards Understanding Flash Loan and Its Applications in DeFi Ecosystem and Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit
***Case study on DeFi and blockchain hacks at https://ciphertrace.com/half-of-2020-crypto-hacks-are-from-defi-protocols-and-exchanges/
The last couple of concerns that have emerged from the Yearn Finance DeFi hack are that deposits to the Yearn Finance yDAI vault were suspended and Tether froze ~$1.7M USDT. I do not understand why a supposedly decentralized project such as Yearn Finance had the ability to disable deposits to one of their vaults, which begs the question if this is in direct contradiction to what DeFi is meant to be. Additionally, Flare Network developers are building out a fully-decentralized stablecoin backed by FLR and other f-assets like FXRP, which is pegged to USD. In short, the stablecoin labeled USF will be governed by the Flare community and unfreezable with the added capability of transacting on the XRP Ledger as USFX. Matt Rosendin, one of the developers for the Trustline app and the decentralized stablecoin project, summed up the hilarity of the entire situation with the tweet below:
How decentralized is DeFi? For one, USDT isn’t DeFi at all. https://t.co/iBPlcwh2Hr
— Matthew Rosendin (@mattrosendin) February 8, 2021
And, if you want to learn more about this stablecoin being developed on the Flare Network, check out one of the latest videos from Mickey B Fresh below:
Props to you, the reader, if you have indulged me for this long, but I have a treat for you that includes a lovely diagram depicting a single leg of the attack thanks to the post-mortem report from the Yearn Finance team. Additionally, please pop into the comments below. Maybe someone has some more information to share or a very coherent argument on why DeFi ecosystems need flash loans to persist.
Double bonus if you made it to this point because you wanted to check out the crude diagram, but Mickey even relayed to me that this whole concept made his head hurt. I hope you learned something and I will be back with more in the future.
~Your friendly, neighborhood starfish, Patty XRP