Flash loan strategy: Can an attacker take Maker's $ 700 million collateral?

Foreword: Since the bZx incident, flash loans have become familiar to everyone. What happens if I use a flash loan to make a governance attack on Maker? Before the flash loan, the cost of launching a governance attack was very high. A crowdfunding strategy may be used. With flash loan, as long as there is enough ETH in the liquid pool, a governance attack on Maker can be launched, thereby taking away all of Maker's. Collateral and issue new Dai. Based on this possibility, Maker decided to formulate a new governance contract and launched a vote today to introduce delays to prevent governance attacks on the system. The emergence of flash loans has put forward higher requirements for the security of DeFi. In addition, Blue Fox Notes found that the current MKR in the uniswap pool has been greatly reduced, and 16,000 MKRs have been reduced to more than 4,000 MKRs. From the current situation, there is a high probability that large households will withdraw to prevent being used by attackers. The author of this article is Dominik Harz, translated by "JT" of the "Blue Fox Notes" community.

Summary

  • If you don't introduce delays to new governance contracts, through flash lending, you have the opportunity to steal all of Maker's collateral (around $ 700 million) and issue any number of new Dais.
  • Anyone can perform the attack, only pay the transaction fee (a few dollars), and do not need to hold any MKR.
  • If Maker does not introduce a delay before the liquidity of the flash loan pool exceeds the threshold, there is little chance to stop the attack.
  • We contacted Maker on February 8, 2020, and contacted them on February 14, 2020 to discuss our findings.
  • Maker knew the attack vector, and held a vote (that is, today) at 12 pm PST (Blue Fox Note: Pacific Standard Time) this Friday to prevent the attack.

Introduction

Maker and its Dai stablecoin are the most popular projects on Ethereum's DeFi, and its smart contracts have locked in about $ 700 million. (Blue Fox Note: Currently about $ 600 million, related to ETH price fluctuations) The Maker protocol relies on the governance process encoded in smart contracts. MKR token holders can vote to replace existing governance contracts. The number of votes is directly proportional to the number of MKRs. The total amount of MKR tokens is 987,530, of which the selected wallet or contract holds a large number of tokens:

  • Maker governance contract: 192,910 MKR
  • Maker Foundation: 117,993 MKR
  • a16z: 60,000 MKR
  • 0xfc7e22c6afa3ebb723bdde26d6ab3783aab9726b: 51,291 MKR
  • 0x000be27f560fef0253cac4da8411611184356549: 39,645 MKR

Please note: The Maker governance contract contains MKR tokens for multiple entities

Governance attack

In an article in December 2019, Micah Zoltu pointed out how to attack Maker governance contracts. (Blue Fox Note: For specific reference, " MKR Governance Attack: Turn 20 Million USD into 340 Million USD in 15 Seconds, Is It Possible? "). The basic idea is to accumulate enough MKR tokens and replace the existing governance contract with the attacker's governance contract, that is, a malicious governance contract. The malicious governance contract can then give the attacker complete control of the system, take out all the collateral in the system, and issue any number of new Dais at the same time.

To reduce the number of MKR tokens required, he suggested performing an attack when voting on a new governance agreement. Currently, 192,910 MKRs have been locked in the governance contract. However, if two to three contracts are assumed to vote in parallel with similar token allocations, then attackers will need fewer tokens. As shown below, this situation has often happened in the past:

640

Vote on "Maker Governance Contract"

The most obvious attack strategy is to crowdfund the required MKR tokens through smart contracts, and distribute corresponding benefits to each participant after the victory. However, an attacker may need to accumulate about 50,000 MKR tokens to have the opportunity to launch an attack on the system without being noticed by Maker.

Brave new attack strategy: flash loan

However, if we consider the use of flash loans, we can completely eliminate the need to consider accumulating MKR tokens. Flash loan is a fairly new concept, so we can give a brief explanation. (Blue Fox Note: For flashloan, you can refer to the previous article " Crypto Flash Loan: The Miraculous New Invention of Internet Currency ")

Generally, one must provide collateral to obtain a loan in DeFi. For example, in Maker, Alice borrows Dai by depositing ETH. This is necessary because it operates under a system in which weak identities and subjects economically make rational choices.

Flash loan removes these requirements because it only occurs in a single transaction:

* Alice gets a loan from a flash liquidity provider (eg in Aave or dYdX)

* Alice performs some operations (for example, arbitrage trading on Uniswap, Fulcurm, Kyber, etc.)

* Alice repays flash loan and interest

640-1

Flash loan is executed in three steps in one transaction

The reason why the flash loan is effective is because of the design of Ethereum EVM: If the flash loan fails at any time in this transaction, the entire transaction will be restored.

As a result, Alice can take the risk of the loan, that is, if she cannot repay the loan, she will never assume its risk. Liquidity providers have also won: they will lend their funds only if Alice can repay the loan.

Arbitrage or oracle manipulation using flash loans

On February 14 and February 18, two events related to flash loans led to bZx stopping its platform. In the first transaction, a flash loan made a profit of 1,193 ETH, about $ 298,250. The transaction was executed using a smart contract and opened a short position in wBTC on Fulcrum. In the same transaction, the transaction lent a wBTC loan from Compound and traded wBTC in Kyber's Uniswap reserve pool, resulting in a large slippage and ultimately reducing the price of Fulcrum. For details, please refer to the analysis of bZx and peckShield. (Blue Fox Notes: You can also refer to the previous article of Blue Fox Notes, " Inspiration of bZx Event ")

Similarly, the second incident occurred on February 18, this time the "attacker" received a gain of 2,378 ETH (about $ 600,000). The transaction involved an initial borrowing of 7,500 ETH to buy long positions in sUSD at Synthetix. (Blue Fox Note: The approximate attack steps are as follows: 1. Loan 7,500 ETH through flash loan; 2. Exchange 3,517 ETH of them to Synthetix for USD 940,000 sUSD, and the sUSD price is about USD 1 at this time; 3. Use 900ETH purchases sUSD on Kyber and Uniswap, pushing the price of sUSD up to $ 2; 4. Borrowing 6,796ETH through mortgage sUSD, the reason why the previous 940,000 sUSD can borrow so much ETH is because the price of sUSD is pushed up to 2 USD, which means collateral equivalent to USD 1.88 million; 5. Use the borrowed 6,796 ETH and the remaining 3,083 ETH to repay the 7,500 ETH flash loan, then there will be 6,796 + 3,083-7500 = 2,379 ETH gain)

Oracle manipulation to reduce required fluidity

For some attacks, we can assume that 50,000 MKR is sufficient. Even though the number of tokens required in practice may be larger, flash lending will put Maker security in a difficult position if there is no governance delay. Using a naive approach, an attacker can borrow a flash loan to buy 50,000 MKR tokens.

At the current exchange rate, the attacker needs about 485,000 ETH to purchase MKR because only one exchange Kyber has a sufficient amount. However, an attacker can also buy MKR on multiple exchanges, buy 38,000 MKR on Kyber, buy 115,000 MKR on Uniswap, and buy 500MKR from Switcheo, for a total of 378,940 ETH. This number is still high, but has been reduced by nearly 100,000 ETH.

Attackers can use oracle control strategies to effectively reduce the price of MKR on Kyber and Uniswap. These are the two largest MKR providers and have shown to be vulnerable to price manipulation by oracles. Further analysis is needed to determine how much MKR prices can be reduced. However, for less liquid tokens like wBTC, an attacker can manipulate the exchange rate by about 285%.

Get enough liquidity

WX20200221-211832 @ 2x

Even using the oracle to manipulate, a large amount of ETH is required to perform an attack on the Maker. However, attackers can increase their liquidity by making two flash loans in the same transaction. In order to protect themselves from re-entry attacks, Aave and dYdX only allow a single flash loan in a transaction. However, an attacker can borrow ETH from these two different protocols in the same transaction.

WX20200221-211842 @ 2x

Therefore, as of February 18, the attacker had a 90,000 ETH pool on dYdX and 17,000 ETH pool on Aave. Therefore, with the current liquidity, the attacker can obtain a total of about 107,000 ETH loans from dYdX and Aave, and through the borrowed ETH, try to use it to manipulate the MKR token price, and thus obtain enough MKR tokens to Replaces the current Make governance contract.

For this method to succeed, the attacker must be able to reduce the average MKR price by at least 3.54 times. Alternatively, the attacker can wait for dYdX and Aave to increase their liquidity pool. Since the current liquidity pool growth rate for both protocols is around 5%, it seems unlikely that this attack will be implemented within two months.

Combination attack?

Obviously, two methods of crowdfunding and flash loan can be combined. Using the currently available approximately 107,000 ETH, approximately 10,800 MKR can be obtained from Kyber. In this way, the amount of crowdfunding MKR required by multiple attackers decreased from 50,000 to 39,200. In an informal Twitter survey, it appears that some people are indeed interested in this attack:

WX20200221-212000 @ 2x

It should also be noted that the top four account holders (there are actually five, irrespective of the current Maker governance contract) can perform attacks without crowdfunding.

No time to wait.

Once enough liquidity is obtained through the flash loan pool (a combination manipulated with or without a oracle), anyone can take over the Maker governance contract. When liquidity pool funds reach this threshold, once Maker starts voting, Maker needs to ensure that MKR tokens are distributed as little as possible. If at any time during the voting process the distribution of MKR is allowed to exploit this vulnerability, then any collateral may be removed.

The attacker will be able to take $ 700 million worth of ETH collateral and be able to issue new Dais at will. This attack will spread to the entire DeFi field as Dai is used as collateral assets in other protocols. In addition, attackers can use the new Dai to trade other $ 230 million worth of tokens.

Countermeasure

Maker should develop new governance contracts to prevent flash loans from attacking its systems. Specifically, the new governance contract should be able to be checked by the Maker Foundation to see if it has malicious code and to have enough time to respond. At a minimum, a new governance contract should not take effect in a single transaction. In this way, the attacker cannot profit from the attack, which makes it impossible to repay the flash loan. If the attacker is unable to repay the flash loan, the attack will not occur.

Maker will vote on such contracts on Friday, February 21, 2020 at 12pm PST. It recommends activating the Governance Security Module (GSM) on the contract and preventing such flash loan attacks.