·

DeFi flash loan attack – what just happened?

Posted by
DappRadar

How an opportunist walked away with $360,000 in ETH From a single flash loan transaction.

DeFi has been hot property in 2020. Things got even more interesting in February when an audacious opportunist/hacker made off with over a quarter of a million dollars in ETH.

The reason for the confusion over whether this was a hack or just somebody using what was available is that what they did was not illegal. 

We thought we would break down the steps and also explain the jargon used in most coverage of this incident. Newcomers to the DeFi space can begin to understand the power of the products on offer here. Interestingly the person in question achieved the heist with just a few, highly calculated moves.

First, you need capital

Normally, to borrow capital using DeFi products a CDP (collateralized debt position) is required. Meaning that to borrow $100 worth of BTC you would need to deposit roughly $120 worth of ETH. If you then fail to pay back the $100 of BTC, you will lose your collateral. 

A smart-contract enabled flash loan is a product that allows you to borrow an asset without having any collateral. But, this is only allowed when you pay it back in the same transaction – hence the term ‘flash loan’. If the user fails to pay back the borrowed amount, the transaction will simply revert.

Flash loan

The flash loan was needed to provide the capital to kick off this entire process and that is where decentralized exchange DyDx came into play. DyDx offered the user a flash loan of 10,000 WETH (Wrapped ETH) which was worth around $3M. Minus a few transaction fees, the hacker had access to almost $3M in capital in just a few minutes. 

WETH is Wrapped Ethereum and it is backed 1-to-1 with real Ethereum except that it’s an ERC20 token. Meaning that it can be traded directly with other ERC20 tokens, including WBTC (Wrapped Bitcoin), which will feature later.

The person now had the capital for a short position and try to manipulate the market to make a profit. A short position is a method employed in financial markets to make money when the asset has a decreasing price. 

When you short 112 WBTC, you borrow 112 WBTC from other parties and sell them. For example, at $10,000 per WBTC, you would then have $1,120,000. 

You still need to pay back the original loan of 112 WBTC. When you do, if the price of WBTC has dropped to $9,000 during that time frame then it only costs you 112 x $9,000 = $1,008,000 to pay back your loan. 

$1,120,000 – $1,008,000 = $112,000 profit from the short position.

Market manipulation 

In this case, the person divided the flash loan into two parts. Firstly going to Fulcrum, a trading platform built from bZx that allows margin trading. Here they opened a short position of 112 WBTC, meaning that they would profit if the price of WBTC decreased. 

To ensure the price of WBTC did go down, the person then went to decentralized trading platform Compound with the other half of the flash loan. Here they borrowed 112 WBTC using the WETH as collateral via a collateralized debt position. Compound is a decentralized lending platform where users can take out loans of different crypto assets with CDPs. 

Fulcrum exclusively uses the Uniswap decentralized exchange price feed to determine its WBTC price. Meaning that in order to profit from shorting on Fulcrum, the person first had to crash the price on Uniswap. With those 112 WBTC, they went and crashed the price of WBTC on Uniswap, allowing them to profit from the short position just opened on Fulcrum.

Flash loan single transaction manipulation, Feb 2020

Pay your debts! 

All that was left now was to pay the flash loan back. With profit gained from the short position, the person repaid the flash loan and pocketed the remaining profit. Which in this incident added up to approximately $360,000. 

There has been much debate around this topic for two main reasons. The first reason is a question of ethics. Is the person in question here a hacker or just an opportunist making the most of the product available to them? We would love to know your thoughts on this incident! Opportunist or hacker?

And two, the benefits and accessibility of DeFi products for the masses are becoming very clear to see in 2020.

DappRadar will be keeping a close eye on developments in the space.

Share this post on social media

Share this article:

Similar Articles

Ethereum and Bitcoin – What’s the difference?

Find out more about the two most famous cryptocurrencies
© 2018-2020 DappRadar, UAB