"Analysis: How did Lightning Loans exploit a $360,000 arbitrage opportunity in 13 seconds, and how did they handle the aftermath?"

Arbitrage is a profit-making method that relies heavily on capital. The more capital one has, the more arbitrage opportunities and room for operation there will be. However, not long ago, hackers exploited DeFi protocols to make a whopping $360,000 profit through risk-free arbitrage. Let's take a look at how this hacker navigated between different protocols and successfully made profits.

Flash Loans

Before we dive in, let's first explain what Flash Loans are. Flash Loans are currently a hot topic in the DeFi space for their ability to borrow assets without the need for any collateral, or in other words, to gain access to "liquidity" of assets. However, the condition is that borrowing and repayment must be completed in the same transaction.

In practical terms, you must be able to write a smart contract that instructs the Ethereum network to send the borrowed ETH to exchange A at a lower price to purchase a certain asset and sell it at a higher price on exchange B, then finally return the borrowed assets.

Miners are responsible for verifying the validity of all transactions and confirming that repayment will definitely be executed before approving the transaction to lend out assets. From the example above, it is clear that due to zero cost and all operations being integrated, Flash Loans are ideal for achieving low-cost arbitrage between DeFi platforms or contracts.

Zero-Cost Arbitrage Strategy

Next, let's see how this hacker managed to exploit Flash Loans and zero-cost arbitrage $360,000 in about 13 seconds.

1. First, borrowed 10,000 ETH (worth about $3 million) through the DyDx platform using Aave's Flash Loans protocol.
2. Used half of the ETH as collateral on Compound to borrow 112 WBTC (Bitcoin on Ethereum), and sent the other half of ETH to bZx's decentralized margin trading platform to short WBTC.

1. Sent the 112 WBTC borrowed from Compound to Uniswap and sold at a lower price.
2. Closed the short position and repaid the 10,000 ETH loan.
3. Made a profit.

Since the above operations were completed in a single on-chain transaction, the hacker only spent 13 seconds and $8.71 in transaction fees. While profiting from spot market selling and shorting futures is not a novel tactic, anyone with enough funds can succeed. However, what makes this case special is that with Flash Loans, the hacker didn't need to have upfront capital. Even the poorest person, as long as they can write smart contracts, can leverage this method for arbitrage, which was unheard of in the past.

Price Oracle Vulnerability

The key to the hacker's success in achieving zero-cost arbitrage lies in the fact that the WBTC contract price on the bZx platform only references price data from Uniswap. Therefore, if someone sells a large amount of WBTC on Uniswap, it can cause the WBTC contract price on bZx to disconnect and plummet from the actual price.

If the WBTC contract price on bZx had been able to track real-time prices from major exchanges like Coinbase, Binance, or Huobi, this incident would not have occurred. It's worth noting that many DeFi projects currently share the same vulnerability as bZx, with oracle data issues.

After realizing the severity of the issue post-attack, bZx promptly announced the integration of the decentralized oracle platform ChainLink as one of its price data sources. bZx stated:

"We had discussions with the ChainLink team yesterday, and the founder has met with Sergey Nazarov, CEO of ChainLink, many times. We will integrate ChainLink."

bZx to Forcefully Seize Hacker's Collateral

In addition, bZx released the latest information regarding the incident last night. They claimed that all users on the platform did not incur any losses, and stated that the attacker left behind $600,000 worth of WBTC on exchanges. bZx plans to use an "admin key" to seize this money and distribute it to other users on the exchange.

https://twitter.com/bzxHQ/status/1228787125740437504?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed&ref_url=https%3A%2F%2Fdecrypt.co%2F19612%2Fhow-a-genius-hacker-made-350000-exploiting-defi

The so-called "admin key" is a safeguard mechanism that is hard-coded into most DeFi projects' protocols and is only used as a last resort. Apart from allowing decentralized applications to modify protocols during upgrades or updates without redeploying the entire smart contract, the admin key's other major function is to control assets held in smart contracts.

To prevent unexpected risks in protocols leading to massive user asset losses, the admin key can step in to safeguard user assets in case of issues. This is why bZx, a decentralized protocol, has the capability to forcibly seize the hacker's assets.

However, the admin key clearly presents a single point of failure issue. Users must trust the team behind the exchange to manage this key and not engage in any misconduct. Considering that the main appeal of DeFi is to eliminate such trust issues, the "admin key" may be one of the significant weaknesses in many decentralized applications at present.

"Update 2/18 14:37"

bZx co-founder Kyle Kistner mentioned in the Telegram group that they were once again exploited for earning ETH.Kistner stated that they could handle it in a similar manner as previously. The Twitter announcement also indicated that due to suspicious trades on decentralized exchange Synthetix, the protocol was temporarily halted again.

The Block media editor Larry Cermak, who first reported this news, later analyzed the "elegant maneuver" on Twitter:

See "Flash Loans Exploited Again! Attacker Earns $640,000, Steps Analyzed"

"Update 2/19 17:20"

bZx has removed the timelock on the smart contract with the admin key until the system issues are resolved.

https://twitter.com/bzxHQ/status/1229959362157760514?s=20

Further Reading

• DeFi Locks Funds at $1 Billion Milestone, Analyst: Mostly from Ethereum Price Surge
• Binance Research: DeFi Has Become One of Ethereum's Most Important Areas

Join Telegram now for the most comprehensive Fintech information, Blockchain insights, and industry examples!