‘Flash Loan’ exploits spark DeFi debate

‘Flash Loan’ exploits spark DeFi debate

bZx, the seventh-largest DeFi protocol with over $18 million worth of funds locked, has lost $350,000 and $645,000 worth of Ether in two separate exploits over the last few days.

The perpetrators, who can be seen as either legitimate arbitrageurs or malicious hackers, depending on your perspective, used ‘flash loans’ to borrow funds which were then funneled through a sophisticated route of different protocols and traded in such a way that bZx was left short of funds, forcing the supposedly decentralized protocol to use an admin key reset to redeem lost funds.

## 2 hacks in 5 days

As former Google engineer Korantin Auguste explained in a blog post, both attacks exploited

the ‘flash loans’ that are offered by several DeFi lending protocols.

These loans allow traders to borrow huge amounts of liquidity for a single transaction, without having to put up collateral — allowing traders to quickly capitalize on price differences.

The first flash loan exploit was carried out on Valentine’s day during the ETHDenver conference and involved a complex series of transactions on BzX’s lending platform Fulcrum.

As the official post-mortem blog describes, the attacker opened a flash loan from dYdX for 10,000 ETH, and then split the funds, funneling them through different protocols and trading them against each other to make a profit of 1193 ETH, currently worth around $298k.

The second exploit, which took place on Tuesday, also used a flash loan to open an under-collateralized position on bZx, but followed a different method. This resulted in an estimated loss of 2,388 Ether ($645k).

## DeFi Vs CeFi

The exploit itself, and bZx’s decision to quickly shut down Fulcrum using a distinctly non-decentralized master key, have both attracted criticism.

Litecoin creator Charlie Lee called DeFi a “decentralization theatre” that represents “the worst of both worlds” — worse than centralized platforms because they are less secure, and yet still vulnerable to being shut down by a centralized party.

Others, including investor Ari David Paul, suggest the incident is just a speed hump on the road to a mature DeFi ecosystem, and that exposing vulnerabilities at such an early stage is healthy in the long-term. “The more of this that happens, the sooner the better. We want the bug bounties claimed before DeFi poses a systemic risk,” tweeted Paul.