Security | From 2,000 to 40,000 USD, analysis of flash loan arbitrage incident

The CertiK security research team discovered a flash loan with a huge transaction volume, where two thousand dollars turned into forty thousand dollars in a blink of an eye. What is this method of getting rich?

Two thousand dollars suddenly increased 20 times. How did they get rich?

At 1:58 pm Beijing time on August 10, the CertiK security research team discovered a flash loan with a huge transaction volume at block height 10633645 of the Ethereum blockchain. After analysis and research, the CertiK security research team believes that this incident is a carefully designed arbitrage event and does not involve any blockchain or smart contract vulnerability security issues.

"Flash arbitrage" is a unique technique in the DeFi field, and is also known as the "DeFi alchemy". It not only makes full use of the characteristics of blockchain smart contracts, but also directly realizes an arbitrage model without shock risk. In combination with the low-cost funds provided by "flash loans", it minimizes capital risks and improves capital utilization, making arbitrage as a market price discovery mechanism play its role to the extreme.

The simple explanation of this arbitrage event is the familiar trading method of buying low and selling high, using price differences to make profits.

With the emergence of DeFi, a new financial field based on blockchain technology, arbitrage and other trading behaviors that use financial knowledge to make profits will inevitably be applied to DeFi.

The process of this arbitrage event is as follows:

Image source: https://etherscan.io/tx/0x01afae47b0c98731b5d20c776e58bd8ce5c2c89ed4bd3f8727fad3ebf32e9481

Event Flow

• Traders borrowed approximately 405k USDC from dYdX

• The trader used the 45k USDC he prepared and the approximately 405k USDC he borrowed, a total of 450k USDC, to exchange approximately 1,072 ETH from Uniswap. (1 ETH = 419.887503652 USDC)

• The trader continued to use all the ETH exchanged to exchange about 493k USDT in Uniswap. (1 ETH = 459.822535801USDT)

• The trader exchanged about 493k USDT for USDC through curve.fi, and finally received a total of 493k USDC. (1 USDT = 0.9999 USDC)

• Use the final 493k USDC to repay the 405k USDC borrowed from dYdX at the beginning

The profit of the whole process is about 493k-405k-45k = 43k. Considering the transaction fee of about 2k, the trader's final profit is about 41k USDC. The profit mainly occurs in steps 2 and 3, the exchange rate difference between ETH and USDT and USDC in Uniswap.

This arbitrage is not the first arbitrage incident in DeFi. In February this year, unidentified persons attempted to arbitrage about $360,000 by manipulating the DeFi loan protocol bZx.

The CertiK security research team believes that the main reason why DeFi has become the target market for arbitrage traders is the existence of flash loans in DeFi projects, which are special and different from the operation mode of traditional financial loans.

Its main features are:

• No collateral required

• Real-time payment

The restriction of flash loans is that the entire operation of loan-operation-repayment must be completed in one transaction. If the repayment operation is not completed in the end, that is, the borrower does not return the money, then the entire transaction will be revoked and restored to ensure safety.

That is to say, if you borrow 10,000 yuan and do not repay it when it is due, then the 10,000 yuan will be treated as if you had never borrowed it, and all operations will be rolled back.

Therefore, with the advantages of flash loans, traders can obtain a large amount of funds for automatic arbitrage processes without relying on mortgages or their own funds. If the arbitrage transaction is truly completed and a profit is made, it can be said that it is "making money out of nothing."

In this incident, we can see that although the trader prepared 45k USDC himself, he still relied more on the 405k USDC borrowed from dYdX as the starting capital for arbitrage transactions.

Using flash loans that do not require collateral, traders can easily obtain large amounts of start-up capital to conduct financial transactions, including arbitrage.

suggestion

The prerequisite for this arbitrage event to occur is that there is still a price difference in different DeFi exchanges.

CertiK Security Research Team recommends:

• From the perspective of controlling price differences, establishing a price synchronization mechanism between different exchanges or using the same price oracle can reduce the probability of arbitrage events.

• From the perspective of smart contracts that execute arbitrage events, taking additional verification steps for transactions involving a large number of transactions or increasing the transaction fees for such transactions will reduce the occurrence of arbitrage events.