Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit

Abstract

Credit allows a lender to loan out surplus capital to a borrower. In the traditional economy, credit bears the risk that the borrower may default on its debt, the lender hence requires upfront collateral from the borrower, plus interest fee payments. Due to the atomicity of blockchain transactions, lenders can offer flash loans, i.e., loans that are only valid within one transaction and must be repaid by the end of that transaction. This concept has lead to a number of interesting attack possibilities, some of which were exploited in February 2020.

This paper is the first to explore the implication of transaction atomicity and flash loans for the nascent decentralized finance (DeFi) ecosystem. We show quantitatively how transaction atomicity increases the arbitrage revenue. We moreover analyze two existing attacks with ROIs beyond 500k%. We formulate finding the attack parameters as an optimization problem over the state of the underlying Ethereum blockchain and the state of the DeFi ecosystem. We show how malicious adversaries can efficiently maximize an attack profit and hence damage the DeFi ecosystem further. Specifically, we present how two previously executed attacks can be “boosted” to result in a profit of  829.5k USD and 1.1M USD, respectively, which is a boost of 2.37\(\times \) and 1.73\(\times \), respectively.

Appendices

A Classifying Flash Loan Use Cases

In Fig. 11, we present the DeFi platforms that use a total of 5, 615 Aave flash loan transactions³ between the 8th of January, 2020 and the 20th of September, 2020. We find that more than 30% of the flash loans are interacting with Kyber, MakerDAO, and Uniswap. Compound and MakerDAO accumulate 433.81M USD flash loans which occupy 90% of the total flash loan amount. On average, a flash transaction uses 1.43M gas, while the most complex one consumes 6.3M gas.

Fig. 11.

Classifying the usage of flash loans in the wild, based on an analysis of transactions between the 8th of January, 2020 and the 20th of September, 2020 on Aave [13]. Others include the platform combinations that appear less than five times and the ones of which the owner platforms are unknown to us. The total amount is calculated at the price – DAI ($1); ETH ($350); USDC ($1); BAT ($0.2); WBTC ($10, 000); ZRX ($0.3); MKR ($500); LINK ($10); USDT ($1); REP ($15), KNC ($1.5), LEND ($0.5), sUSD ($1).

B Flash Loan Use Cases

1.1 B.1 Wash Trading

The trading volume of an asset is a metric indicating its popularity. The most popular assets therefore are supposed to be traded the most—e.g., Bitcoin to date enjoys the highest trading volume (reported up to 50T USD per day) of all cryptocurrencies.

Malicious exchanges or traders can mislead other traders by artificially inflating the trading volume of an asset. In September 2019, 73 out of the top 100 exchanges on Coinmarketcap [20] were wash trading over 90% of their volumes [2]. In centralized exchanges, operators can easily and freely create fake trades in the backend, while decentralized exchanges settle trades on-chain. Wash trading on DEX thus requires wash traders to hold and use real assets. Flash loans can remove this “obstacle” and wash trading costs are then reduced to the flash loan interest, trading fees, and (blockchain) transaction fees, e.g., gas. A wash trading endeavor to increase the 24-h volume by 50% on the ETH/DAI market of Uniswap would for instance cost about 1, 298 USD (cf. Fig. 12). We visualize in Fig. 12 the required cost to create fake volumes in two Uniswap markets. At the time of writing, the transaction fee amounts to 0.01 USD, the flash loan interests range from a constant 1 Wei (on dYdX) to 0.09% (on Aave), and exchange fees are about 0.3% (on Uniswap).

Fig. 12.

Wash trading cost on two Uniswap markets with flash loans costing \(0.09\%\) (Aave) and a constant of 1 Wei (dYdX) respectively. The 24-h volumes of ETH/DAI and ETH/WBTC market were 963, 786 USD and 67, 690 USD respectively (1st of March, 2020).

Wash Trading Example: On March 2nd, 2020, a flash loan of 0.01 ETH borrowed from dYdX performed two back-and-forth trades (first converted 0.01 ETH to 122.1898 LOOM and then converted 122.1898 LOOM back to 0.0099 ETH) on Uniswap ETH/LOOM market (cf. 0xf65b384ebe2b7bf1e7bd06adf0daac0413defeed42fd2cc72a75385a200e1544). The 24-h trading volume of the ETH/LOOM market increased by 25.8% (from 17.71 USD to 22.28 USD) as a result of the two trades.

1.2 B.2 Collateral Swap**

We classify DeFi platforms that rely on users providing cryptocurrencies [13, 24, 39] as follows: (i) a DeFi system where a new asset is minted and backed-up with user-provided collateral (e.g., MakerDAO’s DAI or SAI [39]) and (ii) a DeFi system where long-term loans are offered and assets are aggregated within liquidity pools (e.g., margin trading [3] or long term loans [13]). Once a collateral position is opened, DeFi platforms store the collateral assets in a vault until the new/borrowed asset are destroyed/returned. Because cryptocurrency prices fluctuate, this asset lock-in bears a currency risk. With flash loans, it is possible to replace the collateral asset with another asset, even if a user does not possess sufficient funds to destroy/return the new/borrowed asset. A user can close an existing collateral position with borrowed funds, and then immediately open a new collateral position using a different asset.

Fig. 13.

Flash mint example.

Collateral Swap** Example: On February 20th, 2020, a flash loan borrowed 20.00 DAI (from Aave) to perform a collateral swap (on MakerDAO), cf. 0x5d5bbfe0b666631916adb8a56821b204d97e75e2a852945ac7396a82e207e0ca. Before this transaction, the transaction sender used 0.18 WETH as collateral for instantiating 20.00 DAI (on MakerDAO). The transaction sender first withdraws all WETH using the 20.00 DAI flash loan, then converts 0.18 WETH for 178.08 BAT (using Uniswap). Finally the user creates 20.03 DAI using BAT as collateral, and pays back 20.02 DAI (with a fee to Aave). This transaction converts the collateral from WETH to BAT and the user gained 0.01 DAI, with an estimated gas fee of 0.86 USD.

1.3 B.3 Flash Minting

Cryptocurrency assets are commonly known as either inflationary (further units of an asset can be mined) or deflationary (the total number of units of an asset are finite). Flash minting is an idea to allow an instantaneous minting of an arbitrary amount of an asset—the newly-mined units exist only during one transaction. It is yet unclear where this idea might be applicable to, the minted assets could momentarily increase liquidity.

Flash Minting Example: A flash mint function (cf. Fig. 13) can be integrated into an ERC20 token, to mint an arbitrary number of coins within a transaction only. Before the transaction terminates, the minted coins will be burned. If the available amount of coins to be burned by the end of the transaction is less than those that were minted, the transaction is reverted (i.e., not executed). An example ERC20 flash minting code could take the following form (cf. 0x09b4c8200f0cb51e6d44a1974a1bc07336b9f47f):

C DeFi Models

In the following, we detail the quantitative DeFi models applied in this work. Note that we do not include all the states involved in the DeFi attacks but only those relevant to the constrained optimization.

Flash Loan: We assume a flash loan platform \(\mathbb {F}\) with \(z_\mathsf {X}\) amount of asset \(\mathsf {X}\), which the adversary \(\mathbb {A}\) can borrow. The required interest to borrow b of \(\mathsf {X}\) is represented by \({\text {interest}}(b)\).

State: In a flash loan, the state is represented by the balance of \(\mathbb {A}\), i.e., \(\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S})\).

Transitions: We define the transition functions of in Eq. 8 and in Eq. 9, where the parameter \(b_{\mathsf {X}}\) denotes the loaned amount.

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}') = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) + b_{\mathsf {X}} \nonumber \\&\qquad \,\,\, \text {s.t.} \quad z_{\mathsf {X}} - b_{\mathsf {X}} \ge 0 \end{aligned}$$

(8)

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}') = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - b_{\mathsf {X}} - {\text {interest}}(b_{\mathsf {X}})\nonumber \\&\,\,\,\,\, \text {s.t.} \quad \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - b_{\mathsf {X}} - {\text {interest}}(b_{\mathsf {X}}) \ge 0 \end{aligned}$$

(9)

Fixed Price Trading: We define the endpoint that allows the adversary \(\mathbb {A}\) to trade \(q_\mathsf {X}\) amount of \(\mathsf {X}\) for \(\mathsf {Y}\) at a fixed price \(\mathsf {p}_m\). \(\mathsf {maxY}\) is the maximum amount of \(\mathsf {Y}\) available for trading.

State: We consider the following state variables:

• Balance of asset \(\mathsf {X}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S})\)

• Balance of asset \(\mathsf {Y}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S})\)

Transitions: Transition functions of are defined in Eq. 10.

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}') = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - q_\mathsf {X} \nonumber \\&\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}') = \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}) + \frac{q_\mathsf {X}}{\mathsf {p}_m} \nonumber \\&\quad \, \text {s.t.}\quad \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - q_\mathsf {X} \ge 0\nonumber \\&\qquad \quad \mathsf {maxY} - \frac{q_\mathsf {X}}{\mathsf {p}_m} \ge 0 \end{aligned}$$

(10)

Constant Product Automated Market Maker: The constant product AMM is with a market share of 77% among the AMM DEX, the most common AMM model in the current DeFi ecosystem [11]. We denote by \(\mathbb {M}\) an AMM instance with trading pair \(\mathsf {X}/\mathsf {Y}\) and exchange fee rate \(\mathsf {f}\).

State: We consider the following states variables that can be modified in an AMM state transition.

• Amount of \(\mathsf {X}\) in AMM liquidity pool: \(u_\mathsf {X}(\mathsf {S})\), which equals to \(\mathcal {B}(\mathbb {M};\mathsf {X};\mathsf {S})\)

• Amount of \(\mathsf {Y}\) in AMM liquidity pool: \(u_\mathsf {Y}(\mathsf {S})\), which equals to \(\mathcal {B}(\mathbb {M};\mathsf {Y};\mathsf {S})\)

• Balance of \(\mathsf {X}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S})\)

• Balance of \(\mathsf {Y}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S})\)

Transitions: Among the endpoints of \(\mathbb {M}\), we focus on and , which are the relevant endpoints for the DeFi attacks discussed within this work. \(p_{\mathsf {X}}\) is a parameter that represents the amount of \(\mathsf {X}\) the adversary intends to trade. \(\mathbb {A}\) inputs \(p_\mathsf {X}\) amount of \(\mathsf {X}\) in AMM liquidity pool and receives \(o_\mathsf {Y}\) amount of \(\mathsf {Y}\) as output. The constant product rule [11] requires that Eq. 11 holds.

$$\begin{aligned} u_\mathsf {X}(\mathsf {S})\times u_\mathsf {Y}(\mathsf {S}) = \left( u_\mathsf {X}(\mathsf {S}) + (1-\mathsf {f}) p_\mathsf {X}\right) \times \left( u_\mathsf {Y}(\mathsf {S})-o_\mathsf {Y}\right) \end{aligned}$$

(11)

We define the transition functions and constraints of in Eq. 12 (analogously for ).

$$\begin{aligned}&\quad \,\, \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S'}) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - p_{\mathsf {X}} \nonumber \\&\quad \,\, \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S'}) = \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}) + o_{\mathsf {Y}} \nonumber \\&\qquad \quad \,\, u_\mathsf {X}(\mathsf {S}') = u_\mathsf {X}(\mathsf {S}) + p_{\mathsf {X}} \nonumber \\&\qquad \quad \,\, u_\mathsf {Y}(\mathsf {S}') = u_\mathsf {Y}(\mathsf {S}) - o_{\mathsf {Y}} \nonumber \\&\text {where} \quad o_{\mathsf {Y}} = \frac{p_{\mathsf {X}}\times (1-\mathsf {f})\times u_\mathsf {Y}(\mathsf {S})}{u_\mathsf {X}(\mathsf {S}) + p_{\mathsf {X}}\times (1-\mathsf {f})} \nonumber \\&\qquad \text {s.t.} \quad \mathcal {B}(\mathbb {M};\mathsf {X};\mathsf {S}) - p_{\mathsf {X}} \ge 0 \end{aligned}$$

(12)

Because an AMM DEX \(\mathbb {M}\) transparently exposes all price transitions on-chain, it can be used as a price oracle by the other DeFi platforms. The price of \(\mathsf {Y}\) with respect to \(\mathsf {X}\) given by \(\mathbb {M}\) at state \(\mathsf {S}\) is defined in Eq. 13.

$$\begin{aligned} \mathsf {p}_\mathsf {Y}(\mathbb {M};\mathsf {S}) = \frac{u_\mathsf {X}(\mathsf {S})}{u_\mathsf {Y}(\mathsf {S})} \end{aligned}$$

(13)

Automated Price Reserve: The automated price reserve is another type of AMM that automatically calculates the exchange price depending on the assets held in inventory. We denote a reserve holding the asset pair \(\mathsf {X}/\mathsf {Y}\) with \(\mathbb {R}\). A minimum price \(\mathsf {minP}\) and a maximum price \(\mathsf {maxP}\) is set when initiating \(\mathbb {R}\). \(\mathbb {R}\) relies on a liquidity ratio parameter \(\mathsf {lr}\) to calculate the asset price. We assume that \(\mathbb {R}\) holds \(k_\mathsf {X}(\mathsf {S})\) amount of \(\mathsf {X}\) at state \(\mathsf {S}\). We define the price of \(\mathsf {Y}\) in Eq. 14.

$$\begin{aligned} \mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S})=\mathsf {minP}\times e^{\mathsf {lr}\times k_\mathsf {X}(\mathsf {S})} \end{aligned}$$

(14)

The endpoint provided by \(\mathbb {R}\) allows the adversary \(\mathbb {A}\) to exchange \(\mathsf {X}\) for \(\mathsf {Y}\).

State: We consider the following state variables:

• The inventory of \(\mathsf {X}\) in the reserve: \(k_\mathsf {X}(\mathsf {S})\), which equals to \(\mathcal {B}(\mathbb {R};\mathsf {X};\mathsf {S})\)

• Balance of \(\mathsf {X}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S})\)

• Balance of \(\mathsf {Y}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S})\)

Transitions: We denote as \(h_\mathsf {X}\) the amount of \(\mathsf {X}\) that \(\mathbb {A}\) inputs in the exchange to trade against \(\mathsf {Y}\). The exchange output amount of \(\mathsf {Y}\) is calculated by the following formulation.

$$\begin{aligned} j_\mathsf {Y} = \frac{e^{-\mathsf {lr}\times h_\mathsf {X}} - 1}{\mathsf {lr}\times \mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S})} \end{aligned}$$

We define the transition functions within Eq. 15.

$$\begin{aligned}&\qquad k_\mathsf {X}(\mathsf {S}') = k_\mathsf {X}(\mathsf {S}) + h_\mathsf {X} \nonumber \\&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}') = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - h_\mathsf {X} \nonumber \\&\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}') = \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}) + j_\mathsf {Y}\nonumber \\&\,\, \text {where} \quad j_\mathsf {Y} = \frac{e^{-\mathsf {lr}\times h_\mathsf {X}} - 1}{\mathsf {lr}\times \mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S})} \nonumber \\&\,\,\,\, \text {s.t.} \quad \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - h_\mathsf {X} \ge 0 \nonumber \\&\quad \,\,\, \mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S}') - \mathsf {minP}\ge 0 \nonumber \\&\quad \,\,\, \mathsf {maxP}-\mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S}')\ge 0 \end{aligned}$$

(15)

Collateralized Lending and Borrowing: We consider a collateralized lending platform \(\mathbb {L}\), which provides the endpoint that requires the user to collateralize an asset \(\mathsf {X}\) with a collateral factor \(\mathsf {cf}\) (s.t. \(0< \mathsf {cf} < 1\)) and borrows another asset \(\mathsf {Y}\) at an exchange rate \(\mathsf {er}\). The collateral factor determines the upper limit that a user can borrow. For example, if the collateral factor is 0.75, a user is allowed to borrow up to 75% of the value of the collateral. The exchange rate is for example determined by an outsourced price oracle. \(z_{\mathsf {Y}}\) denotes the maximum amount of \(\mathsf {Y}\) available for borrowing.

State: We hence consider the following state variables and ignore the balance changes of \(\mathbb {L}\) for simplicity.

• Balance of asset \(\mathsf {X}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S})\)

• Balance of asset \(\mathsf {Y}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S})\)

Transitions: The parameter \(c_{\mathsf {X}}\) represents the amount of asset \(\mathsf {X}\) that \(\mathbb {A}\) aims to collateralize. Although \(\mathbb {A}\) is allowed to borrow less than his collateral would allow for, we assume that \(\mathbb {A}\) makes use the entirety of his collateral. Equation 16 shows the transition functions of .

$$\begin{aligned}&\quad \quad \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S'}) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - c_{\mathsf {X}}\nonumber \\&\quad \quad \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S'}) = \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}) + b_{\mathsf {Y}}\nonumber \\&\qquad \quad \,\,\,\, \text {where} \quad b_{\mathsf {Y}} = \frac{c_\mathsf {X}\times \mathsf {cf}}{\mathsf {er}} \nonumber \\&\text {s.t.} \quad \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S'}) - c_{\mathsf {X}} \ge 0; z_{\mathsf {Y}} - b_{\mathsf {Y}} \ge 0 \end{aligned}$$

(16)

\(\mathbb {A}\) can retrieve its collateral by repaying the borrowed asset through the endpoint . We show the transition functions in Eq. 17 and for simplicity ignore the loan interest fee.

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S'}) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) + c_{\mathsf {X}} \nonumber \\&\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S'}) = \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}) - b_{\mathsf {Y}} \nonumber \\&\,\,\,\,\, \text {s.t.} \quad \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}) - b_{\mathsf {Y}} \ge 0 \end{aligned}$$

(17)

Margin Trading: A margin trading platform \(\mathbb {T}\) allows the adversary \(\mathbb {A}\) to short/long an asset \(\mathsf {Y}\) by collateralizing asset \(\mathsf {X}\) at a leverage \(\ell \), where \(\ell \ge 1\).

We focus on the endpoint which is relevant to the discussed DeFi attack in this work. We assume \(\mathbb {A}\) shorts \(\mathsf {Y}\) with respect to \(\mathsf {X}\) on \(\mathbb {F}\). The parameter \(d_{\mathsf {X}}\) denotes the amount of \(\mathsf {X}\) that \(\mathsf {A}\) collateralizes upfront to open the margin. \(w_\mathsf {X}\) represents the amount of \(\mathsf {X}\) held by \(\mathbb {F}\) that is available for the short margin. \(\mathbb {A}\) is required to over-collateralize at a rate of \(\mathsf {ocr}\) in a margin trade. In our model, when a short margin (short \(\mathsf {Y}\) with respect to \(\mathsf {X}\)) is opened, \(\mathbb {F}\) performs a trade on external \(\mathsf {X}/\mathsf {Y}\) markets (e.g., Uniswap) to convert the leveraged \(\mathsf {X}\) to \(\mathsf {Y}\). The traded \(\mathsf {Y}\) is locked until the margin is closed or liquidated.

State: In a short margin trading, we consider the following state variables:

• Balance of \(\mathsf {X}\) held by \(\mathbb {A}\): \(\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S})\)

• The locked amount of \(\mathsf {Y}\): \(\mathcal {L}(\mathbb {A};\mathsf {Y};\mathsf {S})\)

Transitions: We assume \(\mathbb {F}\) transacts from an external market at a price of \(\mathsf {emp}\). The transition functions and constraints are specified in Eq. 18.

$$\begin{aligned}&\qquad \qquad \,\, \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S'}) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - c_{\mathsf {X}} \nonumber \\&\qquad \qquad \,\, \mathcal {L}(\mathbb {A};\mathsf {Y};\mathsf {S}') = \mathcal {L}(\mathbb {A};\mathsf {Y};\mathsf {S}) + l_\mathsf {Y} \nonumber \\&\qquad \qquad \quad \,\, \text {where}\quad l_{\mathsf {Y}}=\frac{d_{\mathsf {X}}\times \ell }{\mathsf {ocr}\times \mathsf {emp}} \nonumber \\&\text {s.t.}\quad \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}) - c_{\mathsf {X}} \ge 0; w_{\mathsf {X}} + d_{\mathsf {X}} - \frac{d_{\mathsf {X}}\times \ell }{\mathsf {ocr}} \ge 0 \end{aligned}$$

(18)

D Optimizing the Pump Attack and Arbitrage

In the following, we detail the procedure of deriving the pump attack and arbitrage optimization problem. Figure 5 summarizes the on-chain state when the attack was executed (i.e., \(\mathsf {S}_0\)). \(\mathsf {X}\) and \(\mathsf {Y}\) denote ETH and WBTC respectively. For simplicity, we ignore the trading fees in the constant product AMM (i.e., \(\mathsf {f} = 0\) for \(\mathbb {M}\)). The endpoints executed in the pump attack and arbitrage are listed in the execution order as follows.

1. 1.

   (dYdX)

2. 2.

   (Compound)

3. 3.

   (bZx) & (Uniswap)

4. 4.

   (Uniswap)

5. 5.

   (dYdX)

6. 6.

   amp; (Compound)

In the pump attack and arbitrage vector, we intend to tune the following two parameters, (i) \(p_1\): the amount of \(\mathsf {X}\) collateralized to borrow \(\mathsf {Y}\) in the endpoint 2) and (ii) \(p_2\): the amount of \(\mathsf {X}\) collateralized to short \(\mathsf {Y}\) in the endpoint 3). Following the procedure of Sect. 4.2, we proceed with detailing the construction of the constraint system.

0): We assume the initial balance of \(\mathsf {X}\) owned by \(\mathbb {A}\) is \(\mathsf {B}_0\) (cf. Eq. 19), and we refer the reader to Fig. 5 for the remaining initial state values.

$$\begin{aligned} \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_0) = \mathsf {B}_0 \end{aligned}$$

(19)

1) . \(\mathbb {A}\) gets a flash loan of \(\mathsf {X}\) amounts \(p_1+p_2\) in total

$$\begin{aligned} \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_1) = \mathsf {B}_0 + p_1+p_2 \end{aligned}$$

with the constraints

$$\begin{aligned} \begin{aligned} p_1 \ge 0, p_2 \ge 0, v_{\mathsf {X}} - p_1 - p_2 \ge 0\\ \end{aligned} \end{aligned}$$

2) : \(\mathbb {A}\) collateralizes \(p_1\) amount of \(\mathsf {X}\) to borrow \(\mathsf {Y}\) from the lending platform \(\mathbb {L}\)

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_2) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_1) - p_1 = \mathsf {B}_0 + p_2\\&\qquad \qquad \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_2) = \frac{p_1\times \mathsf {cf}}{\mathsf {er}} \end{aligned}$$

$$\begin{aligned} \text{ with } \text{ the } \text{ constraint }~z_\mathsf {Y} - \frac{p_1\times \mathsf {cf}}{\mathsf {er}} \ge 0 \end{aligned}$$

3) & . \(\mathbb {A}\) opens a short margin with \(p_2\) amount of \(\mathsf {X}\) at a leverage of \(\ell \) on the margin trading platform \(\mathbb {T}\); \(\mathbb {T}\) swaps the leveraged \(\mathsf {X}\) for \(\mathsf {Y}\) at the constant product AMM \(\mathbb {M}\)

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_3) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_2) - p_2 = \mathsf {B}_0 \\&\qquad u_\mathsf {X}(\mathsf {S}_3) = u_\mathsf {X}(\mathsf {S}_0) + \frac{p_2 \times \ell }{\mathsf {ocr}}\\&\quad \,\,\,\,\, u_\mathsf {Y}(\mathsf {S}_3) = \frac{u_\mathsf {X}(\mathsf {S}_0)\times u_\mathsf {Y}(\mathsf {S}_0)}{u_\mathsf {X}(\mathsf {S}_3)}\\&\quad \mathcal {L}(\mathbb {A};\mathsf {Y};\mathsf {S}_3) = u_\mathsf {Y}(\mathsf {S}_0) - u_\mathsf {Y}(\mathsf {S}_3) \end{aligned}$$

$$\begin{aligned} \text{ with } \text{ the } \text{ constraint }~w_\mathsf {X} + p_2 - \frac{p_2 \times \ell }{\mathsf {ocr}} \ge 0 \end{aligned}$$

4) . \(\mathbb {A}\) dumps all the borrowed \(\mathsf {Y}\) at \(\mathbb {M}\)

$$\begin{aligned}&\qquad \qquad \,\,\,\,\, \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_4) = 0\\&\quad \,\,\, u_\mathsf {Y}(\mathsf {S}_4) = u_\mathsf {Y}(\mathsf {S}_3) + \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_2)\\&\quad \,\,\,\,\,\,\, u_\mathsf {X}(\mathsf {S}_4) = \frac{u_\mathsf {X}(\mathsf {S}_3)\times u_\mathsf {Y}(\mathsf {S}_3)}{u_\mathsf {Y}(\mathsf {S}_4)}\\&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_4) = \mathsf {B}_0 + u_\mathsf {X}(\mathsf {S}_3) - u_\mathsf {X}(\mathsf {S}_4) \end{aligned}$$

5) . \(\mathbb {A}\) repays the flash loan

$$\begin{aligned} \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_5) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_4) - p_1 - p_2 \end{aligned}$$

$$\begin{aligned} \text{ with } \text{ the } \text{ constraint }~\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_4) - p_1 - p_2 \ge 0 \end{aligned}$$

6) & . \(\mathbb {A}\) buys Y from the market with the market price \(\mathsf {p}_m\) and retrieves the collateral from \(\mathbb {L}\)

$$\begin{aligned} \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_6) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_5) + p_1 - \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_2)\times \mathsf {p}_m \end{aligned}$$

The objective function is the adversarial ETH revenue (cf. Eq. 20).

$$\begin{aligned} \begin{aligned} \mathcal {O}(\mathsf {S}_0; p_1; p_2) =\,\,&\mathcal {B}(\mathbb {A}; \mathsf {X}; \mathsf {S}_6) - \mathsf {B}_0\\ =\,\,&{u_\mathsf {X}(\mathsf {S}_0) + \frac{p_2 \times \ell }{\mathsf {ocr}}} - {u_\mathsf {X}(\mathsf {S}_4)} - p_2 \\&- \frac{p_1\times \mathsf {cf} \times \mathsf {p}_m}{\mathsf {er}} \end{aligned} \end{aligned}$$

(20)

E Optimizing the Oracle Manipulation Attack

In the oracle manipulation attack, \(\mathsf {X}\) denotes ETH and \(\mathsf {Y}\) denotes sUSD. Again, we ignore the trading fees in the constant product AMM (i.e., \(\mathsf {f} = 0\) for \(\mathbb {M}\)). The initial state variables are presented in Fig. 7. We assume that \(\mathbb {A}\) owns zero balance of \(\mathsf {X}\) or \(\mathsf {Y}\). We list the endpoints involved in the oracle manipulation attack vector as follows.

1. 1.

   (bZx)

2. 2.

   (Uniswap)

3. 3.

   (Kyber reserve)

4. 4.

   (Synthetix)

5. 5.

   (bZx)

6. 6.

   (bZx)

We construct the constrained optimization problem as follows.

1) : \(\mathbb {A}\) gets a flash loan of \(\mathsf {X}\) amounts \(p_1 + p_2 + p_3\)

$$\begin{aligned} \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_1) = p_1 + p_2 + p_3 \end{aligned}$$

with the constraints

$$\begin{aligned} \begin{aligned} p_1 \ge 0, p_2 \ge 0, p_3 \ge 0, v_{\mathsf {X}} - p_1 - p_2 - p_3\ge 0 \end{aligned} \end{aligned}$$

2) : \(\mathbb {A}\) swaps \(p_1\) amount of \(\mathsf {X}\) for \(\mathsf {Y}\) from the constant product AMM \(\mathbb {M}\)

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_2) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_1) - p_1 = p_2 + p_3\\&\qquad \quad \,\,\,\,\,\,\, u_\mathsf {X}(\mathsf {S}_2) = u_\mathsf {X}(\mathsf {S}_0) + p_1\\&\qquad \quad u_\mathsf {Y}(\mathsf {S}_2) = \frac{u_\mathsf {X}(\mathsf {S}_0)\times u_\mathsf {Y}(\mathsf {S}_0)}{u_\mathsf {X}(\mathsf {S}_2)}\\&\qquad \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_2) = u_\mathsf {Y}(\mathsf {S}_0) - u_\mathsf {Y}(\mathsf {S}_2) \end{aligned}$$

3) : \(\mathbb {A}\) converts \(p_2\) amount of \(\mathsf {X}\) to \(\mathsf {Y}\) from the automated price reserve \(\mathbb {R}\)

$$\begin{aligned}&\quad \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_3)=\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_2) - p_2 = p_1\\&\qquad \qquad k_\mathsf {X}(\mathsf {S}_3) = k_\mathsf {X}(\mathsf {S}_0) + p_2\\&\quad \quad \, \mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S}_3)=\mathsf {minP} \times e^{\mathsf {lr}\times k_\mathsf {X}(\mathsf {S}_3)}\\&\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_3)=\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_2) + \frac{e^{-\mathsf {lr}\times p_2} - 1}{\mathsf {lr}\times \mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S}_0)}\\&\qquad \,\,\,\,\,\,\, \text {s.t.} \quad \mathsf {maxP} - \mathsf {P}_\mathsf {Y}(\mathbb {R};\mathsf {S}_3)\ge 0 \end{aligned}$$

4) : \(\mathbb {A}\) sells \(p_3\) amount of \(\mathsf {X}\) for \(\mathsf {Y}\) at the price of \(\mathsf {p}_m\)

$$\begin{aligned}&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_4) = \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_3) - p_3 = 0\\&\,\,\, \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_4) = \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_3) + \frac{p_3}{\mathsf {p}_m} \end{aligned}$$

$$\begin{aligned} \text{ with } \text{ the } \text{ constraint }~\mathsf {maxY} - \frac{p_3}{\mathsf {p}_m} \ge 0 \end{aligned}$$

5) : \(\mathbb {A}\) collateralizes all owned \(\mathsf {Y}\) to borrow \(\mathsf {X}\) according to the price given by the constant product AMM \(\mathbb {M}\) (i.e., the exchange rate \(\mathsf {er} = \frac{1}{\mathsf {P}_\mathsf {Y}(\mathbb {M};\mathsf {S}_2)}\))

$$\begin{aligned}&\qquad \qquad \qquad \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_5) = 0\\&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_5) = \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_4)\times \mathsf {cf} \times \mathsf {P}_\mathsf {Y}(\mathbb {M};\mathsf {S}_2) \end{aligned}$$

with the constraint

$$\begin{aligned} z_\mathsf {Y} - \mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_4)\times \mathsf {cf} \times \mathsf {P}_\mathsf {Y}(\mathbb {M};\mathsf {S}_2) \ge 0 \end{aligned}$$

6) : \(\mathbb {A}\) repays the flash loan

$$\begin{aligned} \mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_6)=\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_5) - p_1 -p_2 -p_3 \end{aligned}$$

$$\begin{aligned} \text{ with } \text{ the } \text{ constraint }~\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_5) - p_1 -p_2 -p_3 \ge 0 \end{aligned}$$

The objective function is the remaining balance of \(\mathsf {X}\) after repaying the flash loan (cf. Eq. 21).

$$\begin{aligned} \begin{aligned} \mathcal {O}(\mathsf {S}_0;p_1;p_2;p_3)=\,\,&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_6)\\ =\,\,&\mathcal {B}(\mathbb {A};\mathsf {X};\mathsf {S}_5) - p_1 -p_2 -p_3\\ =\,\,&\mathcal {B}(\mathbb {A};\mathsf {Y};\mathsf {S}_4)\times \mathsf {cf} \times \mathsf {P}_\mathsf {Y}(\mathbb {M};\mathsf {S}_2) \\&- p_1 -p_2 -p_3 \end{aligned} \end{aligned}$$

(21)

F Extended Discussion

In the following, we extend our discussion in Sect. 7.

Responsible Disclosure: It is somewhat unclear how to perform responsible disclosure within DeFi, given that the underlying vulnerability and victim are not always perfectly clear and that there is a lack of security standards to apply. We plan to reach out to Aave, Kyber, and Uniswap to disclose the contents of this paper.

Does Extra Capital Help: The main attraction of flash loans stems from them not requiring collateral that needs to be raised. One can, however, wonder whether extra capital would make the attacks we focus on more potent and the ROI greater. Based on our results, extra collateral for the two attacks of Sect. 3 would not increase the ROI, as the liquidity constraints of the intermediate protocols do not allow for a higher impact.

Potential Defenses: Here we discuss several potential defenses. However, we would be the first to admit that these are not foolproof and come with potential downsides that would significantly hamper normal interactions.

• Should DEX accept trades coming from flash loans?

• Should DEX accept coins from an address if the previous block did not show those funds in the address?

• Would introducing a delay make sense, e.g., in governance voting, or price oracles?

• When designing a DeFi protocol, a single transaction should be limited in its abilities: a DEX should not allow a single transaction triggering a slippage beyond 100%.

Looking into the Future: In the future, we anticipate DeFi protocols eventually starting to comply with a higher standard of security testing, both within the protocol itself, as well as part of integration testing into the DeFi ecosystem. We believe that eventually, this may lead to some form of DeFi standards where it comes to financial security, similar to what is imposed on banks and other financial institutions in traditional centralized (government-controlled) finance. We anticipate that either whole-system penetration testing or an analytical approach to modeling the space of possibilities like in this paper are two ways to improve future DeFi protocols.

Generality of the Optimization Framework: We show in Sect. 5 that our optimization framework performs efficiently on a given attack vector. To discover new attacks on a blockchain state with the framework, we may need to iterate over all the combinations of DeFi actions. The search space thus explodes as the number of DeFi actions increases. Our optimization framework requires to model every DeFi action manually. This, however, makes the framework less handy for users who are unfamiliar with the mathematical formulas of the DeFi actions. To make the framework more accurate, we can build gas consumption and block gas limit into the models, which requires to comprehend every DeFi action explicitly. We leave the automation of modeling for future work.