DeFi is a collective term for applications and protocols developed on the Ethereum network to enable everything from loans to investing in stocks without relying on a third party to conduct business. Although there are DeFi solutions on other blockchains, Ethereum has been dominant so far.
DeFi’s value propositions
DeFi applications can interact with each other through the Ethereum network. This creates synergies that in the long run may affect and transform the entire financial industry. The applications and protocols are nested together by broadcasting on the Ethereum blockchain, which allows for a fluid dynamic between the different DeFi services. Protocols and applications can be developed and initialized based on the existing DeFi solutions, like a set of Legos. In the future, these solutions can potentially cover all the financial needs a user may have. The system is attractive as it removes the reliance on an active third party to facilitate trades in addition to the many synergies it creates.
The great potential of decentralized financial solutions has made DeFi the fastest growing financial sector over the past year. Applications that allow users to make deposits and receive interest rates from 5 to 20%, as well as decentralized exchanges where users can trade cryptocurrency directly from their own privately held wallets, are the main drivers behind the growth of the DeFi sector.
Two weeks ago, a milestone was reached. The total ‘ETH Locked’ in DeFi-protocols passed a total of 1 billion USD, a number that is expected to rise further in the coming months.
The attacks on bZx
Nevertheless, it is important to be aware that the sector is in an early stage of development. The early years of radical new technological inventions will always be turbulent and DeFi is no exception from this norm. Recently we have seen two incidents that have shed light upon some potential critical flaws and important questions regarding the DeFi solutions and its future potential.
These incidents were the two recent attacks on the bZx-platform. bZx is a DeFi-protocol for lending and margin trading and offers, among other things, ‘flash loans’. This can be described as a risk-free loan where the borrower provides collateral in the form of locking the entire planned loan transaction into an unbreakable smart contract. Here, the lender can verify that the borrower’s investment plan justifies and enables immediate repayment of the loan. A solution that provides liquidity for guaranteed arbitrage strategies.
The margin trading service offered by bZx is provided externally through Kyber. This is a decentralized exchange with limited liquidity. The limited liquidity creates potential weaknesses in bZx’s lending protocol, and it was this weakness that was exploited on two separate occasions. The attacks involved price manipulation on Kyber and the flash loans from bZx created arbitrage opportunities at the expense of those who borrowed funds through bZx.
It all culminated in the bZx development team intervening and using their administrator key to pause the system so they could consider whether to lock in the funds gained in the trade by the exploiter. The attacks, as well as the bZx’s intervention after the attacks, left two major unanswered questions:
- Is decentralized finance safe?
- And can decentralized finance even be called decentralized when the team has room to intervene in such a way?
Is DeFi safe?
The code will be the law on any DeFi-protocol. The code decides how the protocol acts on any action and movement performed by the users of the application. There are clear advantages to such a structure, especially when it comes to transparency and unambiguity in relation to the expected outcome for the end user. The user can, based on the code, determine with great confidence the outcome of a set of actions. However, the code also makes the whole system vulnerable. Small errors and other weaknesses in the code can be exploited by vigilant users, whereupon these users can acquire big gains at the expense of other users.
This is what we saw with the two bZx attacks that exploited the liquidity relationship with Kyber. Specifically, Kyber operates with a rule set on its order book that makes the system vulnerable to “flash crashes” in periods of low liquidity. This was utilized to make a price manipulation in ether (ETH) which secured the exploiter arbitrage gains.
The rigidities of written code can form the basis for a number of similar loopholes that can be exploited by creative attackers. No coder codes perfectly, and we have to assume that these code exploits are just the start of a trend with defi-protocols placed under scrutiny by opportunistic attackers seeking week points to exploit in the years to come. Time will tell if DeFi will cope with the resistance and emerge as an antifragile system in the years ahead.
Is DeFi decentralized?
Most DeFi applications are based on Ethereum and therefore have a seed that provides administrator access for the dev team. Different protocols have approached this point of centralization differently. Some wash out the centralization by adding an anonymization element to the smart contracts on the protocol. Others use an administrator intervention delay dynamic, which allows users to respond to changes to the protocol before the changes take effect. Some DeFi applications are less transparent in this area, and the power of the administrator keys is more uncertain. This is worrying for two reasons:
- Can you trust the dev team’s honesty to build a credible platform?
- Can you rely on the operational security of the team and that their administrator key will not be compromised by other entities with bad intentions?
Ultimately, its of upmost importance that users of DeFi applications are aware that the DeFi apps are not necessarily fully decentralized, and the implications this may entail. The value propositions of the DeFi applications must be seen in light of the fact that DeFi opens up a very wide range of different financial instruments, with favorable and attractive services for the users of the applications. This is made possible by the interoperability of the DeFi-protocols as they are based on the open, decentralized and (probably) immutable blockchain Ethereum.
Originally published on Arcane Research’s blog.