HashKey Cao Yixin: In-depth Analysis of Common Patterns of Economic Attacks in DeFi

This article was published by HashKey Research, original title: "General Pattern Analysis of Economic Attacks in DeFi", author: Cao Yixin

Since 2020, there have been more than a dozen large-scale attack incidents utilizing flash loans in the Ethereum DeFi ecosystem, which have been continuously exposed by the media (as shown in Table 1). These incidents have exhibited obvious patterns and repetitive characteristics. Unlike attack incidents caused by technical vulnerabilities (numbers 6, 8, 11), several other incidents have demonstrated methods of attacking the economic system vulnerabilities of the DeFi ecosystem. On the surface, their commonality is that the main target protocols are associated with certain AMM protocols, and attackers manipulate the asset prices or quantities within the AMM asset pools to cause losses to the associated protocols. We may refer to this as "economic attacks." To date, economic attacks have been categorized into two methods: "price manipulation arbitrage" and "oracle manipulation." This article summarizes the necessary but not sufficient conditions for launching economic attacks and the general attack patterns, thereby inferring the "vital points" of the DeFi systems that attackers target, and providing several warnings to resist such security risks.

Table 1. Flash Loan Attack Incidents

"Price Manipulation Arbitrage" Attack

The principle of "price manipulation arbitrage" attacks is essentially no different from the common pump-and-dump market manipulation behavior in CeFi or the "front running" attacks often encountered in on-chain transactions. Both involve finding ways to leverage others' capital to inflate the price of one's own assets and then sell at a high price for profit. The success of such economic attack incidents in the DeFi ecosystem is related to at least two core modules— the attack target and the AMM— and these two modules are interconnected through Condition One.

Condition One: There exists an asset transfer relationship between the attack target and the AMM, and users can autonomously trigger the execution of smart contracts for asset transfer.

Here, the attack target can be DeFi modules such as yield farms, lending platforms, or leveraged trading platforms. Yield farms are smart contracts running certain investment strategies, comparable to a fund, providing users with proxy wealth management services. Users deposit their assets into the yield farm to earn returns, such as Yearn or Harvest; lending platforms provide services for lenders and borrowers to earn interest spreads, where borrowers generally need to over-collateralize a portion of their assets, such as Compound or Aave; leveraged trading platforms allow investors to pledge certain assets as margin for leveraged trading, such as bZx. AMMs implement automated market maker trading through a pricing function, allowing users to exchange assets or participate in liquidity mining as liquidity providers (LPs), which will not be elaborated further here.

General Steps of "Price Manipulation Arbitrage" Attack

Condition One is a necessary but not sufficient condition for the DeFi system to be subject to "price manipulation arbitrage" attacks. In the actual attack process, factors such as the amount of funds, transaction fees, and checkpoints set in the smart contracts before executing transactions must also be considered. Attackers can establish optimization models to find optimal parameters and predict their "price manipulation arbitrage" returns to decide whether to take action. The general operational steps of this attack method are as follows (combined with Figure 1):

Figure 1. Basic Model of Price Manipulation Arbitrage Attack (numbers represent attack steps, solid lines indicate necessary steps, dashed lines indicate optional steps; the net value calculation of the attack target and the pricing function of the AMM are designed with risks of being exploited by hackers)

Assuming the liquidity assets in the AMM asset pool are X and Y, and the liquidity token is C.

Step One: Preparation. Hold the initial asset Y to be manipulated and the initial asset A to trigger the automatic execution strategy of the attack target.

Step Two: Manipulation. Send asset A to the relevant smart contract of the attack target to obtain token B (representing positions in yield farms, lending platforms, leveraged trading platforms, etc., hereafter referred to as "position tokens"), and trigger the smart contract to invest asset X into the AMM asset pool to obtain asset Y or liquidity token C, thereby inflating the price of asset Y in the AMM asset pool.

Step Three: Arbitrage. The attacker inputs the asset Y from Step Two into the AMM asset pool to obtain asset X or liquidity token C at the inflated price. It should be noted that the operations in Steps Two and Three correspond to swap (exchange between X and Y) or liquidity mining (exchange between X or Y and C). For AMMs with three or more tokens, X or Y here can be viewed as an asset combination.

Step Four: Conclusion. The attacker decides whether to redeem asset D based on the latest net value of token B and subsequent trading plans.

For liquidity-rich asset pools, creating significant price slippage in the AMM often requires a large amount of capital, so attackers generally borrow the initial assets from flash loans. If the categories of assets available for borrowing in flash loans do not meet the requirements, attackers may obtain them through swap, liquidity mining, lending, etc., from certain AMMs or lending platforms; it is also possible that attackers directly acquire them from AMMs associated with the attack target. If attackers used flash loans in the preparation process of Step One, they would need to repay the flash loan in the same attack transaction in Step Four.

Profit Analysis of Attackers

If the attacker does not redeem the position token B, then the initially invested asset A is the cost ceiling, and profits can only be made if the arbitrage gains exceed this cost. This situation has only been successful in attack targets that provide leveraged funding, where attackers leverage a small margin cost A to manipulate a large amount of capital X in the attack target to inflate the price of asset Y in the AMM. However, the prerequisite is that before executing the transaction, the attacker must avoid the attack target's checkpoint that checks whether their margin net value falls below the liquidation line. The attack incident numbered 1 in Table 1 is a typical case.

Two points are worth noting here:

The key here is that the share token B issued by the attack target provides isolation protection for the attacker's initial assets. Attackers often first manipulate the price in the AMM to significantly devalue asset X, sacrificing the attack target's fund assets to shift the price slippage in the AMM to a favorable direction, allowing attackers to achieve considerable arbitrage while ensuring their own assets do not significantly devalue. The attack incident numbered 10 in Table 1 is a typical case.

Loss Analysis

Section 1.2 analyzed the principle of profit for attackers in the "price manipulation arbitrage" attack model. This section further analyzes who the "victim" of the losses is.
From the perspective of the attack target, the changes in the net value of its underlying assets during the entire attack process come from:

1. The assets A invested by the attacker to obtain shares;
2. The difference from the asset exchange with the AMM, as shown in formula (6);
3. The redemption of shares by the attacker.

If the attacker ultimately redeems shares with position token B, then the change in the asset value of the attack target is:

If the attacker does not redeem the initial asset, it is equivalent to the attack target's net income asset A, and formula (10) becomes:

For the AMM, its constant product pricing equation ensures that the total value of the asset quantities multiplied by their prices remains constant before and after the exchange operation; in the case of injecting liquidity, the value per share of the newly issued liquidity tokens is consistent with the value of the original liquidity tokens. Therefore, every time the attacker or the yield farm interacts with it, the exchange is conducted at the internal price of the AMM. Even if the attacker uses a large amount of capital to cause the AMM's price to deviate from the market price, the liquidity providers of the AMM will only temporarily suffer impermanent losses due to the price deviation, and subsequent arbitrageurs will bring the price back to equilibrium, with the benefits obtained by arbitrageurs coming from a portion of the losses of the financial business module.

Case Examples

The incidents numbered 1 and 10 in Table 1 both conform to the general pattern of the "price manipulation arbitrage" attack and are easy to replicate. In the Yearn yield farm flash loan attack incident, the attacker followed the four steps summarized in section 1.1:

Step One: Borrow ETH from Aave and dYdX via flash loans, collateralize it in Compound to obtain a large amount of DAI and USDC. A portion of DAI is kept, while another portion of DAI and USDC is collateralized in Curve's 3Pool for liquidity mining, obtaining liquidity token 3CRV. All 3CRV is redeemed for USDT, thus preparing asset Y (USDT) and asset A (DAI).

Step Two: Collateralize DAI in Yearn's yDAI Vault to obtain yDAI (i.e., position token B). This contract will automatically trigger the investment strategy to invest DAI (asset X) into Curve 3Pool's liquidity mining, obtaining 3CRV (token C). As the amount of DAI in 3CRV increases, DAI depreciates according to the updated pricing function, while USDT appreciates.

Step Three: Input the prepared USDT from Step One into Curve 3Pool to exchange for liquidity token 3CRV (token C) at a high price. At this point, the attacker holds more 3CRV than the initial amount in Step One, successfully arbitraging.

Step Four: Redeem DAI (asset D) using yDAI from Step Two. Although the net value of yDAI has decreased, this loss is smaller than the arbitrage gains. The attacker repeats the above steps 10 times in a single flash loan transaction, repays the flash loan, and ultimately accumulates a large amount of 3CRV and USDT. In the attack incident numbered 1 involving bZx, the attacker borrowed ETH (asset A) from a flash loan, collateralized part to Compound to borrow WBTC (asset Y), and then collateralized part of ETH to bZx to trigger a 5x leveraged short ETH trade, obtaining sETHwBTC5x (position token B) representing the leveraged position. The bZx contract provided leveraged funds to sell a large amount of ETH (asset X) on Uniswap to obtain WBTC (asset Y), raising the price of WBTC threefold. The attacker sold WBTC (asset Y) to get ETH (asset X), repaying part of the flash loan and using the other part to redeem collateral in Compound, without redeeming the leveraged position sETHwBTC5x, as the liquidation line had already been triggered, and the attacker exploited a contract vulnerability to bypass the checkpoint.

The attack incident numbered 3 utilized a "deflationary" token STA supported by Balancer, which replaces the fee collection behavior by destroying its own tokens. By repeatedly trading STA, its quantity continuously decreases, thus raising the price, which is a specific case under certain conditions and is not easy to replicate.

"Oracle Manipulation" Attack

The "oracle manipulation" attack can be viewed as a symmetrical operation of the "price manipulation arbitrage" attack, with the necessary condition being:

Condition Two: The attack target relies on information provided by the AMM to price its internal assets.

Figure 2. Basic Model of Oracle Manipulation Attack (numbers represent attack steps, solid lines indicate necessary steps, dashed lines indicate optional steps; the net value calculation of the attack target and the pricing function of the AMM are designed with risks of being exploited by hackers)

In this case, although the attacker cannot use the assets within the attack target to inflate the price of an asset in the AMM, they can examine whether the AMM module as an oracle can be manipulated to inflate the asset within the attack target.

The main purposes for the attack target to rely on information provided by the AMM are twofold:

1. To value collateral;
2. To price position tokens.

We can also view this as "net value calculation," and attackers specifically seek to manipulate contracts that deviate from the actual situation in net value calculations.

In the incidents numbered 5 and 9 in Table 1, the attackers exploited the same oracle vulnerability. Both Cheese Bank and Warp Finance yield farms allow users to over-collateralize Uniswap's liquidity token UNI-V2 to borrow stablecoins, while the value of the collateral UNI-V2 is calculated through a self-written oracle contract. This contract calculates based on the asset quantities, asset prices, and issuance of UNI-V2 from the corresponding Uniswap liquidity pool, but the asset quantities and asset prices are obtained from two unrelated sources—asset quantities are directly obtained from the Uniswap liquidity pool balance, while asset prices are obtained from a time-weighted average oracle provided by Uniswap. This allows attackers to increase the nominal value of the collateral UNI-V2 without changing the asset price, thereby borrowing more stablecoins. This type of attack mainly occurs due to the insufficient rigor in the design of the oracle contract, but it has still repeated twice, enough to raise alarms for DeFi projects.

In the incident numbered 2 in Table 1, the attacker manipulated the oracle (Uniswap and Kyber) that valued the collateral sUSD for bZx, inflating the price of sUSD to borrow more ETH.

In the incidents numbered 3 and 7 in Table 1, the attackers manipulated the oracle quotes to increase the net value of the position tokens in the yield farms, thereby exchanging for more assets and accumulating profits through repeated actions.

The general steps of "oracle manipulation" attacks are:

Step One: Preparation. Obtain asset Y for manipulating the AMM oracle and prepare asset A to deposit into the attack target.

Step Two: Collateralization. Deposit asset A into the attack target to obtain the position token B representing the collateral. In some cases, position token B is not issued, and only internal accounting is done in the smart contract.

Step Three: Manipulation. Input asset Y into the AMM to exchange for asset X, changing the ratio of assets in the AMM liquidity pool to alter the quotes, updating the pricing of asset A or position token B in the attack target contract;
Step Four: Conclusion. If it is a lending business, borrow more assets based on the inflated collateral valuation without returning; if it is a yield farm business, redeem assets using the inflated position token B to gain appreciation profits.

Discussion and Insights

This article summarizes the general patterns and naming of economic attacks suffered by DeFi systems, finding that both "price manipulation arbitrage" and "oracle manipulation" attack patterns essentially exploit and manipulate the net value calculation process. Therefore, it is crucial to properly handle this aspect when designing DeFi systems. The most fundamental preventive measure is to eliminate users' permissions to automatically trigger transaction strategy chains or update net values, fundamentally blocking attackers from completing a coherent manipulation process.

For example, in response to the attack strategy of "price manipulation arbitrage," a specific approach might be to use a smart bot to identify user investment behaviors, calculating net values and allocating funds to strategy pools in batches at fixed intervals. However, this method breaks the advantages of atomic transactions, potentially leading to poor user experience, increased costs, and control over transactions sent by the bot. On the other hand, most of the currently emerging DeFi combination models still remain at a simple A->B model, while multi-layer nested associations like C->A->B (e.g., Alchemix) have already appeared in the ecosystem, which may inevitably involve automatic triggers between smart contracts and still pose systemic economic vulnerabilities.

In response to the attack risks described by "oracle manipulation," some yield farms have set slippage limits to constrain the price fluctuation range of quoted assets. However, even so, attackers can still find arbitrage opportunities that exceed costs and accumulate total arbitrage amounts through multiple implementations (e.g., the Harvest attack incident numbered 4).

Flash loans play a supplementary role in the entire attack process, providing attackers with a large amount of initial capital and an opportunity to experiment with only the transaction gas fees as the cost. However, with the recent increase in ETH prices, the transaction gas fees required to construct such complex attack strategy smart contracts have become very expensive. The recent single flash loan attack transaction in the Yearn yield farm cost the attacker 1.933 ETH (equivalent to $3088 at that time).

In summary, these economic attack incidents indicate that the design mechanism of AMMs can easily be exploited by attackers to attack associated products and possess specific attack patterns. Breaking the necessary conditions that these attack patterns rely on may trigger new issues, and there is currently no foolproof strategy to completely eliminate such risks. Adding certain constraints to make the arbitrage space significantly smaller than the attackers' expected value may be a method worth exploring, which requires project teams to conduct comprehensive and in-depth research on their own and associated protocols' economic systems.