DeFi Security Risk Analysis: Flash Loans, Price Manipulation Attacks, and Protocol Design Approaches to Reduce Risks
TechFlow Selected TechFlow Selected
DeFi Security Risk Analysis: Flash Loans, Price Manipulation Attacks, and Protocol Design Approaches to Reduce Risks
As their market share grows, DeFi platforms are facing increasing security threats.
Navigating Web3 tides with focused insightsAuthor: Revelo Intel
Compiled by: TechFlow
In the cryptocurrency space, DeFi has become a significant development direction. However, as its market share grows, DeFi platforms are also facing increasing security threats.
Recently, Sirmoremoney, co-founder and product lead of Moremoney, discussed several topics on DeFi security during a Twitter Spaces session, particularly focusing on risks related to collateral price manipulation and flash loan attacks. Revelo Intel summarized the discussion and explored measures to mitigate these risks.
Contract Vulnerability Attacks / Flash Loan Attacks
Flash loan attacks involve exploiting the ability to borrow large sums without collateral for a short period to manipulate prices or steal funds. The Platypus attack serves as an example of a contract vulnerability exploit.
The attacker took out a $44 million flash loan from Aave, deposited it into Platypus, and borrowed $42 million. They then exploited a vulnerability in the contract to perform an emergency withdrawal, retrieving their initial deposit while keeping the loaned funds. This attack resulted in a $200 million loss for Platypus Finance.
However, they were only able to exchange approximately $8.5 million worth of the remaining $42 million in USB. Platypus’s security advisors and internal team managed to recover $2.4 million, while Feather and Circle froze funds trapped in the contract. The attacker was later arrested in France.
This attack was carried out by a low-level hacker, and so far about 70% of the stolen funds have been recovered.
The key lesson from this incident is that protocols need proper security measures, such as restricting who can call emergency withdrawal functions and implementing debt caps to limit potential losses.
Emergency Withdrawal Function
For example, Moremoney has a rescue function that can only be called by the protocol itself or through governance.
They emphasized the importance of restricting access to this function, something that was not done in the case of Platypus.
Collateral Price Manipulation Attacks
Price manipulation attacks involve manipulating token prices on decentralized exchanges (DEXs) to borrow more funds than the actual value of the collateral.
The Mango and Loadstar attacks serve as examples. These incidents caused significant user losses and highlighted the importance of monitoring collateral prices and implementing safeguards against price manipulation.
In both cases, attackers manipulated token prices on DEXs to borrow amounts exceeding the true value of their collateral. Selecting the right price oracle is critical for protocol security; relying solely on spot price oracles is always a poor choice, as flash crashes or other price volatility could lead to substantial losses.
Risk Mitigation Measures
Such measures include thorough smart contract audits, implementing multi-factor authentication and other security protocols, and isolating risks associated with different assets and lending pools.
Isolated CDP Pools
Isolated CDP (Collateralized Debt Position) pools are crucial for mitigating risks associated with multi-asset pools.
They pointed out that each collateral asset is isolated, meaning that if an attacker exploits one asset, they cannot drain funds from the entire pool.
Isolated Debt Ceilings
Isolated debt ceilings limit the amount that can be borrowed against each collateral asset.
They believe this helps prevent attackers from borrowing large sums and reduces risks tied to multi-asset pools.
Global Debt Ceiling
Protocols can implement a global debt ceiling to cap the total amount borrowed across all assets on the platform.
This helps prevent excessive leverage on the platform and minimizes the potential impact of any single attack.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Revelo Intel
