The surprise that the lightning loan brought to people at first has gradually turned into fear. This disruptive innovation has opened the Pandora's box of DeFi.
After two consecutive attacks on the DeFi protocol bZx this week, a total of 3,571 ETH (nearly $ 900,000) assets were lost, and yesterday, the article " Stealing All Maker's Mortgage " written by Imperial Academy scholar Dominik Harz, again Makes people tense.
It is reported that this article discussed how to steal hundreds of millions of dollars worth of collateral through Lightning Loan and Maker's governance flaws. What is worrying is that the content of its discussion is not to be alarmist, but to remind MakerDao officials to Take defensive measures.
- Encrypted cat team shot again! Dapper Labs Receives $11 Million Investment from A16z
- "Zcash please consider switching to PoS", this proposal from the community is a bit bold
- Wanxiang and Xiao Feng's blockchain map: you can see the "tip of the iceberg"
- Bitcoin is expected to complete its listing in early 2020, raising up to US$500 million
- Bitcoin flash crash is not accidental? Analysis says that bitcoin network activity slows down
- DeFi is the future of the blockchain? See what the top international investment institutions say
(Picture from: tuchong.com)
For potential attacks, MakerDao officials had to conduct an emergency vote on Friday to minimize the risk of governance attacks.
In a post , MakerDao member LongForWisdom wrote:
"In the end, I asked MKR holders to do two things:
- When voting begins this Friday (12 noon Eastern Time), please review it in time and seriously consider voting to activate GSM as soon as possible. Crucially, this needs to be activated as soon as possible;
- Vote in favor of the current hat proposal by Friday. This is an approved implementation proposal, which was made before Friday. The more MKRs proposed, the less vulnerable the Maker protocol will be. The current hat proposal can be found here: https://vote.makerdao.com/executive-proposal/activate-the-savings-rate-spread-and-the-sai-and-dai-stability-fee-adjustments 129
The attacker, Dominik Harz, reminded:
"At present, due to the lack of liquidity, people cannot use Lightning Loans to attack. However, if the liquidity of the Lightning Loan pool becomes sufficiently high, the attack is entirely possible. The introduction of delays through GSM can prevent Lightning Loan attacks.
In fact, I would prefer a special team to work 24 hours a day to solve this problem … the best thing they can do is to detect lightning loan transactions in mempool and try one before the attacker Transactions to prevent attacks.
The general idea and feasibility of the attack
It is reported that in December last year, Micah Zoltu raised Maker's governance flaws . After that, Maker officially tried to address this issue with new governance rules (increasing the delay time from 0 to 24 hours), but the final vote was not passed. .
With the emergence of the lightning loan scheme, a new attack strategy has emerged, because in theory it can cancel the requirements of a large number of MKR tokens and complete the attack at a very low cost (transaction cost).
Researcher Dominik Harz and others proposed two attack schemes in the paper "The Crisis of Decentralized Finance: Attacking DeFi ":
- Attack strategy inspired by Maker governance flaws proposed by Micah Zoltu, and to be executed secretly in 2 blocks, this requires the attacker to lock about $ 27.5 million in collateral;
- A new attack strategy that allows the attacker to accumulate Maker collateral in two transactions, which only requires a few dollars in advance for gas fees;
So what is this so-called governance flaw?
Simply put, Maker's governance process relies on MKR tokens, and participants have voting rights proportional to the number of MKR tokens they hold. By performing voting, participants can choose an execution contract and define a set of rules for managing the system. That is, the selected contract is the only entity allowed to manipulate funds, and if a malicious contract is selected, It could steal all funds locked up as collateral.
There are two defense mechanisms to protect executive voting:
- Govern the security module (GSM), increase the delay time ( currently still 0 );
- Emergency shutdown mechanism, which allows a group of participants holding a sufficient number of MKR to stop the system (this operation requires a constant pool of 50,000 MKR);
After talking about the defense mechanism, let's talk about the general idea of the attack:
A malicious party can choose between the following two options to accumulate the capital needed to manage an attack.
1. Crowdfunding: Crowdfunding MKR tokens allows users to lock their tokens in the contract and program the contract so that when the required number of MKR tokens is reached, all their funds are invested into malicious execution of the contract, which will Allow multiple parties to cooperate without trust in such attacks, while maintaining control over their funds and ensuring that their participation in the attack is rewarded. The biggest disadvantage of crowdfunding attacks is that this requires coordination between participants, and a righteous MKR member may be alert.
2. With the introduction of Lightning Loan, new attack schemes have emerged. Lightning Loan operates as follows: one party creates a smart contract, and the contract (i) accepts the loan, (ii) performs some operations, and (iii) Repayment of loans and interest.
Interestingly, if the execution of step (ii) fails or the payment of the loan in step (iii) cannot be completed, EVM will treat this loan as never happening. Therefore, assuming sufficient liquidity is available in protocols such as Aave, an attacker can perform an MKR governance attack in step (ii), and if successful, repay the lightning loan and interest in step (iii).
Since collateral is not required for Lightning Loans, the cost of lock-in by the attacker is greatly reduced. Assuming there is sufficient liquidity available in these DeFi pools, the attacker does not even need to lock any tokens.
In addition, the researchers also found that attackers may combine crowdfunding and lightning loans to attack, and in the feasibility analysis section, they also mentioned that there are currently more than 5,000 accounts holding MKR tokens on the entire network, for a total of The number of tokens involved is slightly higher than 272,000 MKR.
In order not to attract attention, the attacker may spread the accumulated tokens among multiple accounts (for example, 100, with an average of 500MKR per account). One of the disadvantages of this method is that it requires voting from these 100 accounts. And voting should take place in the shortest possible time.
On average, it costs 69,000 gas to vote on a contract, which means that half of a block can be filled with voting transactions, and more than 72 contracts can be allowed to vote. Based on the current Ethereum gas price, half of the block is filled with transactions. A block costs only $ 10, which means an attacker can easily perform the entire attack in two blocks. In the second block, the attacker can complete voting on his malicious contract and execute the attack in the contract. For others, this only leaves a block time (less than 15 seconds) to For reaction.
Regarding the judgment of the liquidity required for the attack, the researchers mentioned in the paper:
"As of February 14, 2020, approximately 13670 ETH is available in Aave's liquidity pool and is growing at a rate of approximately 219.5 ETH per day. If we estimate that the available liquidity pool will have similar continuous growth, then this will probably require 1663 It takes only days to execute a governance attack, and the attacker does not need to own any tokens. However, Aave's current ETH growth rate is 5.18% per day. Assuming this growth rate continues, it only takes 66 days for Aave to be sufficiently liquid We also noticed that if the liquidity of the MKR on the DEX is observed to increase, the attacker can obtain a better exchange rate. Therefore, they need to borrow less ETH, which shortens the time of the attack. "
Attack potential profit and risk analysis
Under the crowdfunding strategy, the profit of the attack can be divided evenly between the funders, and the only cost is the transaction fee of $ 20. In return, the attacker can take away MakerDAO's current 434873 ETH collateral and 145 million DAI .
Under the liquidity pool and lightning loan scheme, the attacker needs to repay the 378,940 ETH loan of the lightning loan required for the attack at an interest rate of 0.35%. This interest is equivalent to 1326.29 ETH, and it also involves the gas cost of two transactions. Then, At the end of the attack, the attacker will have approximately 55933 (434873-378940) ETH, 50,000 MKR, and 145 million DAI.
In order to prevent the failure of the attack, the attacker can design an attack smart contract to restore it when it is not profitable, which makes the attacker basically risk-free from a cost perspective.
In addition, given the current unrestricted composability of the DeFi protocol, the analysis of the possibility of financial transmission becomes particularly important. Therefore, researchers believe that assuming the above two flaws are used by attackers, it will cause the crisis to spread to other DeFi protocols, which may trigger a crisis of decentralized finance.
Free and easy comments: Fortunately, due to the current insufficient liquidity of the related DeFi protocol pool, this crisis did not occur, and Maker can simply resolve this crisis through the governance security module (GSM). However, if researchers do not communicate with the Maker team, but secretly hide the application, this crisis will have very serious consequences for the DeFi ecosystem and Ethereum. Innovation is important, but there must be awe in finance. Finally, I hope that MKR holders will activate GSM as soon as possible after the vote is opened to truly resolve the crisis.