I’m still trying to grok Decentralized Finance, AKA DeFi, the hot trend in cryptocurrency circles. Basically, anything a bank or shadow bank does can be recreated digitally. Operating at light speed, without brakes. No grownups involved.
As I have said, this may be “disruptive”, but it isn’t especially “innovative”.
What can possibly go wrong?
This month saw thefts that are so common they have a generic name: a flash loan attack [2].
How does this work?
As far as I understand, there are services that not only offer anonymous high interest cryptocurrency loans, but in some cases offer unsecured anonymous high interest loans. And, in the magical spirit of the internet, some “flash” loans are contracted to be paid back instantly [1].
Huh? What?
This takes the idea of leveraged speculation to the logical extreme*, letting people deploy huge amounts of cash without ever actually having any cash.
The idea is that the borrower shows evidence that he has 100% collateral, but doesn’t transfer it unless he defaults. This evidence isin records on a blockchain. So the lender knows he or she will be paid, because they can see the assets right there and the “smart contract” will deliver it automatically. Guaranteed.
So what can possibly go wrong?
The problem is that the record on the blockchain may be more fool proof or less fool proof, depending on exactly what assets it records.
The “flash loan attack” is generally done by manipulating the collateral. If a digital asset can be temporarily puffed up, it can be used as collateral to borrow more of other assets. Then, the instant loan can be repaid in the un-puffed collateral, making a profit.
This kind of puffing happens especially easily for little used assets (no one puff up Bitcoin very easily), and most especially when the lender relies on relatively few (or just one) source of price information.
Remember, this is done by “smart contracts”, which are computer programs. The contract is told to believe specific data streams reflect asset prices. So if it relies on only one stream, and you can manipulated that stream, you can fiddle the loan contract.
Oh, and since this is in Nokamotoland, the borrowers are anonymous and the stolen tokens are whisked away in seconds, never to be seen again.
Does this scam happen? All the time, apparently, to the tune of millions [2].
As Coppola said, “Caveat investor“.
* Sooner or later, someone will come up with a “time travel” loan, that lets me somehow get money before the loan exists. You give me money today that you will loan me tomorrow….
- Adam B. Levine and John Biggs (2020) The Flash Loan Attacks Explained (for Everybody). Coindesk, https://www.coindesk.com/the-flash-loan-attacks-explained-for-everybody
- Kevin Reynolds (2021) DeFi Protocols Cream Finance, Alpha Exploited in Flash Loan Attack; $37.5M Lost. Coindesk, https://www.coindesk.com/defi-protocols-cream-finance-alpha-lose-37-5m-in-exploit-prime-suspect-idd
Cryptocurrency Thursday
Robert McGrath's Blog 