Life of a DeFi developer:
- Say gm.
- Scroll crypto twitter and commiserate about the bear market.
- Architect new and complex financial and governance systems. Their robustness is so vitally critical that a single mistake could lead to the loss of tens or hundreds of millions of dollars.
Pretty exciting stuff!
This blog post equips readers with a framework to identify deadly economic flaws in DeFi. We will take apart some of DeFi’s biggest economic hacks. We will analyze them from an economic perspective, as opposed to a smart contract perspective. Finally, we will draw conclusions on how economic vulnerabilities can be spotted and avoided.
Price manipulation, inefficient markets
Price manipulation is a classic and persistent problem in financial systems. In TradFi, market manipulation is illegal and doing it often makes you go to jail. Luckily for us, there is no DeFi police. Hooray for decentralization!
Key idea: Anytime we exchange assets, we do so at a certain price. We need to consider whether those prices reflect an efficient market. If we fail to do so, there could be a dangerous arbitrage situation. An attacker could exploit that situation, often at the expense of others.
Example 1 (TradFi): Speculative currency attacks
You dump a victim currency to drive its price down, then profit off of this movement.
Anytime we accept collateral when lending another asset, this is effectively an exchange of assets. We depend on the prices of both the collateral and the lent asset. We need to consider whether these prices are reliable. If they are unreliable, there is a potential exploit:
- (Setup) Gradually stockpile the victim currency (but don’t buy it from their central bank).
- (Setup) Short that currency (borrow a bunch then sell it). When borrowing, the lender may ask for collateral. Post collateral in a stable, unaffected currency. Receive the victim currency and immediately sell it at its current, unmanipulated price.
- (Trigger) Dump your huge stockpile of the victim currency on the market. The victim currency’s central bank will run out of cash. Then, they can’t afford to buy back their own currency to prop up its price. Thus, the currency depegs, triggering a selling frenzy, driving it down.
- (Close) You’re short this currency, so profit. This involves repaying the loan in the victim currency. The victim currency is much cheaper now than when you borrowed it. Take back your unaffected collateral
In effect, you’ve supplied robust collateral, borrowed something valuable, paid back something cheap, and collected the unaffected collateral back. Here, the value of the lent asset was manipulated down.
In Step 2, the loan occurred at a certain price. That price was based on a price peg. This price peg is artificially set by a central bank, and does not necessarily reflect an efficient FX market. Under certain conditions, like a depeg, that assumption is broken. This creates an exploit opportunity.
An example of this happened in real life in 1992, when George Soros attacked the British pound. He made quite a profit off of that trade.
Example 2 (DeFi): The Harvest Finance Hack
DeFi is at risk of repeating many of the same mistakes that bankers and financiers have made in TradFi. Here, you create an arbitrage situation with share pricing.
Harvest Finance is a protocol which allows users to deposit and withdraw money (e.g., USDT) in exchange for LP share tokens. These LP tokens entitle users to a share of the LP pool. This exchange between USDT and LP tokens occurs at a price. If this price does not reflect the true values of USDT or the assets within the LP pool, there is a potential vulnerability.
In October 2020, Harvest Finance was hacked for $USD 33.8MM. In Harvest, LP shares were fixed at the time of deposit. LPs were always entitled to the share of the pool calculated at the time of deposit, even if the price changes later. Thus, if the price of LP shares changes after staking, the user can withdraw an outsized portion of the value locked in the LP pool.
Harvest used reference prices from Curve.fi. It is possible to manipulate this Curve-specific price feed by affecting the reserve amounts held in Curve. This in turn impacts the LP share calculation in Harvest. If we pump up the price of USDT on Curve, then Harvest will overvalue the USDT and undervalue its LP shares. Meanwhile, the actual assets inside the LP pool are unaffected.
Thus, here is the exploit scenario:
- (Setup) Amass large amounts of USDC and USDT using flash loans
- (Setup) On Curve, pump up the price of USDT. Do this by exchanging USDC for USDT on Curve. Harvest now thinks USDT is more valuable. Thus, relative to USDT, Harvest thinks its LP share price is lower.
- (Setup) On Harvest, deposit USDT. Your LP share is calculated, and locked in, based on the manipulated price. You will receive an oversized share of the LP. This is because Harvest is overvaluing your USDT and undervaluing its LP shares.
- (Trigger) On Curve, dump the price of USDT back to normal. Do this by exchanging USDT back to USDC. This also makes Harvest stop undervaluing its LP shares.
- (Close) On Harvest, withdraw your outsized share of the LP. You will receive more back than you deposited.
- Rinse and repeat!
In effect, you manipulated the price of shares down then exchanged USDT for LP shares cheaply. Meanwhile, the value of the assets backing the shares remained unchanged. Later, you cashed out your LP shares for those valuable assets.
In Step 4, the exchange of USDT for LP shares happened at a certain price. That price is based on Curve’s reserves. Curve’s asset reserves certainly do not necessarily reflect an efficient market. Under the attacker’s conditions, Harvest’s assumptions were violated. That created the exploit opportunity. The attacker can sell USDT to the broader market for its true price.
What have we learned so far?
Let’s generalize a bit. We see that a common problem in both scenarios was misplaced trust in the price mechanism. The lender of the loan in the speculative currency attack implicitly assumed the currency peg is accurate. Similarly, Harvest assumed the prices it retrieved from Curve were accurate.
More fundamentally: In both cases, prices were assumed to reflect efficient markets. They did not. The attackers then exploited this incorrect assumption.
In the speculative currency attack, the FX market wasn’t operating efficiently. The forces of supply and demand were being artificially controlled by the central bank. These inefficiencies caused businesses to lend under the flawed assumption that the fixed exchange rate would stay in place for the foreseeable future. In doing so, they took on depeg risk.
The prices Harvest retrieved from Curve.fi were determined by reserve assets in Curve, not the broader market as a whole. This is not necessarily efficient. This could be OK at a large time scale, as arbitrageurs can buy and sell to bring prices back in line with the rest of the market. Unfortunately, with no TWAP, plus the atomic nature of Ethereum transactions, the prices were easily manipulated on the spot.
In both of these cases, asset exchanges were triggered directly by the attacker. But this is not always the case. We will see additional examples as we study scenarios like the X-Token Hack.
Example 3 (DeFi): The X-Token Hack
The xSNX (X-Token) protocol was plagued by complexity and hacks. Since its launch in August 2020, it was hacked three times. The largest hack was in May 2021, on xSNXa for $USD 24MM.
In the exploit, the attacker manipulated the price quoted on a Uniswap V2 pool. The attacker then triggered the protocol to do a swap on this pool. In doing so, the protocol took on a trade at a very unfavorable price. This allowed the attacker to profit.
- (Setup) Amass SNX. We can do this by flash loaning ETH then exchanging it to SNX by borrowing on Aave and Sushiswap. Amass some other funds too, which we will use to mint xSNX later.
- (Setup) Use the SNX to crash the price of the SNX-ETH Uniswap V2 pool. (Same idea as from Curve)
- (Trigger) Mint a lot of xSNX. Ultimately, the protocol is programmed to
use Uniswap to exchange the ETH for SNX. Remember, this is the same pool that you just pushed down. Thus, the protocol trades on Uniswap at a very bad price. The end result is you mint an inflated amount of xSNX.
- (Exit) Sell the xSNX and repay all loans. But wait, we just crashed SNX on Uniswap–where are we supposed to dump this stuff? There happens to be another Balancer pool. The Balancer pool is unaffected by the liquidity depressions in the Uniswap pool. Dump your xSNX on there.
There are additional layers of complexity in this hack compared to the Harvest hack. Most obviously, the attacker did not exchange assets themselves; they instead caused the victim protocol to do so. Regardless of which party is exchanging assets, the existence of a secondary market unaffected by manipulation creates an arbitrage opportunity.
Other than that, though, this hack shares a remarkable number of characteristics with the previous exploits we have discussed. The attacker is able to cause a trade to happen at a non-market price. In doing so, they are able to pocket the difference between the true price and the trade price. As usual, in automated DeFi protocols, it is absolutely necessary that every exchange happens at efficient prices. Otherwise, attackers can economically exploit the protocol.
As tokenomic systems grow more complex, we must pay more attention to potential economic vulnerabilities. One class of arbitrage opportunities arise when assets are exchanged at inefficient prices, paired with a catalyst. This catalyst can be an event which moves prices to be more efficient or a secondary market that is efficient. Additionally, the asset exchange need not necessarily be triggered by the attacker themselves.
Lending protocols give rise to one of the simplest economic exploit scenarios. In a loan, collateral and a lent asset are exchanged. If the value of either the collateral or the lent asset can be manipulated, there may be an arbitrage opportunity.
Protocols with more financial machinery can also have economic vulnerabilities. For example, Harvest finance suffered from a share pricing issue that led to share price arbitrage. The machinery can even involve additional tokens, minting, and back-end trades, such as in the X-Token hack.
Leverage can also give rise to economic vulnerabilities. In DeFi, leverage is often implemented through collateralized lending, paired with liquidation. Sudden market movements may lead to failures in leveraged protocols. Leveraged protocols also often involve back-end trades by the protocol. Similar to the X-Token hack, if an attacker can trigger the protocol to exchange on manipulated liquidity pairs, there is the potential for an economic exploit.
Apart from price manipulation, there are many other classes of economic attacks possible on DeFi protocols. These include, for example, governance exploits. We plan to cover these in subsequent posts.
As we have seen, DeFi opens up opportunities for all kinds of novel economic attacks. Although we have seen real-world parallels like with speculative currency attacks, it is difficult to place an analogy for the more intricate hacks. We expect that this trend will continue as decentralized economic systems continue to grow in complexity. In the future, we may even end up treating DeFi hacks as economic case studies.
Zellic is a smart contract auditing firm founded by hackers, for hackers. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants. Whether you’re developing or deploying smart contracts, Zellic’s experienced team can prevent you from being hacked.
Contact us for an audit that’s better than the rest.