A hacker who bet $3 million that a decentralized finance (DeFi) protocol was workable hit the jackpot this weekend, walking away with a tidy $12.6 million profit.
While cryptocurrency hacks – and especially DeFi hacks – are nothing new, and a loss of $15.6 million is barely worth mentioning – DeFi bridge protocol Ronin Network has been hit for a record $625 million last week – this one had a number of novel, and very disturbing, aspects.
See also: In a $625 Million Hack, a Bigger Crypto Security Problem Is Exposed
Above all, this feat was a real gamble. If he failed, the scammer would have lost $3 million worth of ether.
Then there’s another blow to DeFi’s security, and more broadly to the potential for crypto market manipulation that the Securities and Exchange Commission (SEC) says is plaguing the “Wild West” of finance.
Read more: Gensler says SEC is coming for crypto exchanges
In the case of Inverse Finance’s Anchor money market, an oracle – a “trusted” source of information that self-executing smart contracts in standalone DeFi projects use to pay for deals – was led to believe that crypto- Inverse’s native INV currency was worth much more than it really was.
This allowed the scammer to take out much larger loans of ether, wrapped bitcoin, DOLA stablecoin, and Yearn.Finance’s YFI token than the collateral warranted. This ETH was quickly sold for a large profit – $15.6 million – while the collateral was dropped.
Along the way, the thief exploited DeFi’s main strength – and its biggest weakness: its lack of central management.
First, there was the fact that the attack relied on the anonymity of the mixing services. Second, there was possible market manipulation on decentralized exchanges (DEX). Third, there was the sometimes misplaced trust in information from oracles. And fourth, there was no one to sue aggrieved investors.
To mix together
While most hacks end with the scammer sending ill-gotten crypto to a mixing service to hide its provenance and make the funds much less detectable, the Inverse Finance exploit started at one.
The person behind the attack began by withdrawing $3 million worth of Ether from Tornado Cash, a well-known Ethereum service that mixes cryptocurrencies from multiple users. This obscures their origin, erecting a big hurdle for law enforcement and the increasingly sophisticated capabilities of blockchain intelligence firms when it comes to tracing cryptocurrency to a real human criminal.
Read more: When privacy matters, crypto users turn to mixing services
Tornado cash is itself a DeFi project run by a self-contained Decentralized Autonomous Organization (DAO) and controlled by a smart contract, so there’s no way – at least without a lot of luck and painstaking work – to see any where the funds come from.
Of course, the Bank for International Settlements (BIS) and the US Department of Justice (DOJ) have stated that DeFi projects are not as decentralized as they claim, given that developers and large token holders ( who can vote to change the DAO’s rules) often wield outsized influence over them.
See more : Bank for International Settlements calls DeFi decentralization an illusion
Wild, Wild West
One of the reasons the SEC has staunchly refused to follow the decision of many other countries to allow Bitcoin exchange-traded funds (ETFs) is the potential for market manipulation by “whales” who have enough crypto- currencies to move markets without exposing their identity.
In this case, the Inverse Finance attacker used millions of dollars in ether to fund a flurry of trades on SushiSwap, a leading decentralized exchange, which made the price of INV look like it was skyrocketing. .
This tricked the oracle running the SushiSwap INV/ETH trade pair oracle – the bug exploit – into marking the value of INV, which was quickly transferred to Anchor. The risk was that arbitrageurs corrected the price before loans could be taken and profits flowed back via Tornado Cash.
The SEC has approved ETFs for bitcoin futures, but not cash-traded ETFs that allow investors to gain exposure to cryptocurrency without the need to buy and hold it personally.
Without the supervisory sharing agreement with another regulated market available for bitcoin derivatives, the SEC has given numerous denials over the past few months. An exchange should “establish that the underlying market inherently possesses a unique resistance to manipulation beyond the protections employed by traditional commodity or securities markets,” the SEC said. mentioned in January after refusing to allow asset management firm Arca to launch a spot bitcoin exchange on the New York Stock Exchange. “No listing exchange has discharged its burden of making such a showing.”
Blind as an oracle
Blockchain oracles are meant to be neutral and trusted providers of information flow.
Well-known weather company AccuWeather has set itself up as a weather oracle, enabling blockchain companies InsurTech to offer crop insurance that automatically pays farmers based on weather information.
Read more: Self-executing DeFi payments enable crop insurance for smallholder farmers in Africa
The problem is that smart contracts can actually be very dumb. If not carefully drafted and programmed, the results can be inappropriate payments or even contracts unable to disburse the locked-in funds.
See more : What is a smart contract?
In this case, the SushiSwap oracle – which is run by its own smart contract – could not detect the manipulation and allowed the information to pass through the smart contract-controlled lending protocol that depended on it, according to the security company. blockchain security. PeckShield.
Bet on goodwill
While Inverse Finance, which presents itself as a “decentralized global central bank” mentioned that a governance proposal “to ensure that all wallets impacted by price manipulation are 100% reimbursed”, there is no guarantee that the project’s governance token holders will agree.
1. The plan to be proposed to the governance is to ensure that all wallets impacted by price manipulation are reimbursed at 100%. We have several ways to accomplish this and will provide updates as the DAO discusses our options.
— Inverse+ (@InverseFinance) April 2, 2022
That’s what happened to MakerDAO Lending Protocol borrowers when a bug caused over $8 million in collateral to be sold for next to nothing. After an initial vote to compensate victims, large token holders voted no because it would reduce the value of their holdings.
However, this lack of a decentralized governance body to prosecute which DeFi claims to be a strength is about to be tested as these victims of MakerDAO attempt to sue.
Read more: PoolTogether trial will test if DeFi is truly decentralized
This is likely why the Inverse Finance Twitter feed revealing the loss also said: “We have several ways to achieve this and will provide updates as the DAO discusses our options. .. There is no plan or need to hit additional INV as part of the process to reimburse wallet holders.