DeFi has grown to be a significant part of the crypto industry. The total value locked in DeFi contracts on Ethereum has surpassed $1.6 billion recently. Many feel that DeFi could be a game-changer in the world of finance-driven by blockchain and cryptocurrency.
However, 2020 has been both a good and a bad year for Decentralized Finance. Over the past months, there have been multiple attacks on multiple lending protocols resulting in losses worth millions. Most of these attacks exploited the bugs and loopholes that exist in the fairly new and upcoming market.
Back in February, lending protocol bZx lost $900,000 in two consecutive attacks as the attacker exploited the system by first taking a loan of 10,000 Ether from lending protocol dYdX and then using 5,500 ETH from that to use as collateral against a 112 wrapped Bitcoin (WBTC) loan (over $1 million) on DeFi protocol Compound.
In a similar incident, Balancer, the popular automated maker protocol, lost approximately half a million dollars on June 29, after an attacker targeted two multi-token pools that contained the deflationary tokens.
The attack was executed in two separate stages 30 minutes apart from each other. The first attack took place at 6:03 and the second attack was executed at 6:49 pm. The targets were specifically the pools with STA and STONK, deflationary tokens with transfer fees.
First, the attacker issued a $23 million flash loan of ETH from dYdX, converted it to WETH, and then went on to swap WETH to STA back and forth. The process was repeated 24 times and this allowed the attacker to drain the STA balance down to 0.000000000000000001 STA as 1% transaction fee was subtracted on each trade.
In total, the attacker got away with 601.3 ETH (~$134.8k), 11.36 WBTC (~$103.5k), 22,593 LINK (~$102.8k), and 60,915 SNX (~$110.9k). The total losses were estimated to be around $452,000.
According to a report on the attack by DEX aggregator 1inch, the attacker was “very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.” The attacker mixed the eth used to deploy the smart contracts through Tornado cash.
In their official announcement, the team behind Balancer noted that they were not aware that an attack of this sort could be executed. They vouched to add deflationary tokens to the UI blacklist similarly to what they have done for no bool transfer tokens. The protocol added that it has already undergone two full audits and has had a third one planned.
This goes to show that developers need to pay more attention to these minute loopholes and bugs that result in heavy damages. The DeFi space has been acting a key area within the crypto space, and if risks like these persist, it would be very difficult for the DeFi market to hit mainstream adoption.