Decentralized finance (DeFi) is the use of decentralized ledgers (like Ethereum) for financial transactions.  A major part of the DeFi space is trading, where traders take advantage of fluctuations in market prices and exchange rates to make a profit.

Understanding the potential for profit in the DeFi space (and how some traders are “hacking” it) requires a bit of background knowledge:

• Transactions: A blockchain “transaction” is a set of actions taken at the same time on a blockchain.  A single blockchain transaction can contain several financial transactions (loans, trades, etc.).
• Flash Loan: A flash loan is a loan that is taken out and paid off within a single transaction.  These loans do not require collateral since they are guaranteed to be paid off.  Failed Ethereum transactions are rolled up as if they never happened.
• Slippage: Slippage is a disconnect between an exchange’s exchange rate for an asset and the actual market rate.  Traders can take advantage of slippage to make a profit.

Putting all of these different factors together, a DeFi “hacker” can make large guaranteed profits within a single transaction on the blockchain.

Exploiting Flash Loan Functionality

One example of the impact of DeFi hacking is the first hack against the bZx exchange.  This hack enabled the attacker to make a profit of about $355,880 in Ether by the end of the transaction.

The image above shows the flow of events that enabled the attacker to make this profit:

1. The attacker takes a 10,000 ETH flash loan out from dYdX
2. Using 5,500 of this loan as collateral, the attacker borrows 112 wBTC from Compound
3. With 1,300 of the original loan, the attacker takes out 5x leverage on ETH/wBTC from bZx Fulcrum
   1. To service this, Fulcrum purchases 51 wBTC with 4,338 ETH from Kyberswap.  This causes slippage since Kyberswap had limited liquidity, driving up the value of ETH relative to wBTC
4. The 112 wBTC borrowed from Compound is traded for 6871 ETH at Kyberswap
5. 10,000 ETH of the attacker’s 10,071 ETH (6871 from step 4 and 3,200 left over from the original flash loan) goes to pay off the original flash loan.  The rest goes to the attacker.
6. The attacker pays off the Compound loan, trading 112 wBTC (worth about 4,300 ETC) for the original collateral of 5,500 ETH.

In the end, the attacker has a net profit of 1,271 ETH (71 from step 5 and 1200 from step 6), worth about $355,880.  The entire operation was made possible by a bug in the bZx code (since fixed) that failed to check for slippage before making the purchase (in 3a) from Kyberswap.

White Hat or Black Hat Hacking?

Whether or not the bZx attacker “hacked the system” isn’t really a question.  The attacker took advantage of the flaw in the code to use bZx’s resources to dramatically change the wBTC/ETH exchange rate on Kyberswap.  This allowed the attacker to cash out their wBTC at the expense of bZx.

However, the attacker accomplished this by doing exactly what they were supposed to do under the “rules” of DeFi.  Tools like Furucombo are designed to help traders to build transactions like this to make a profit.  The bZx hacker only “cheated” by taking advantage of a flaw in bZx Fulcrum’s code to have a much bigger payoff than expected.

This vulnerability could have been identified by an in-depth security audit and penetration test of bZx.  But was the attacker wrong to take advantage of it and play the DeFi game “too well”?