{"id":115411,"date":"2020-11-19T14:17:36","date_gmt":"2020-11-19T11:17:36","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/finance-redefined-you-get-hacked-they-get-hacked-everyone-gets-hacked-nov-11-18\/"},"modified":"2020-11-19T14:17:36","modified_gmt":"2020-11-19T11:17:36","slug":"finance-redefined-you-get-hacked-they-get-hacked-everyone-gets-hacked-nov-11-18","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/finance-redefined-you-get-hacked-they-get-hacked-everyone-gets-hacked-nov-11-18\/","title":{"rendered":"# Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11-18"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a4104a776c8d\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a4104a776c8d\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/finance-redefined-you-get-hacked-they-get-hacked-everyone-gets-hacked-nov-11-18\/#Flash_loans_are_tough_but_fair\" >Flash loans are tough, but fair<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/finance-redefined-you-get-hacked-they-get-hacked-everyone-gets-hacked-nov-11-18\/#DEXs_fight_over_the_crumbs_left_by_Uniswap\" >DEXs fight over the crumbs left by Uniswap<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/finance-redefined-you-get-hacked-they-get-hacked-everyone-gets-hacked-nov-11-18\/#Maker_liquidators_are_%E2%80%98slacking_off\" >Maker liquidators are \u2018slacking off\u2019<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong># Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11-18 <\/strong>&#8221;<\/p>\n<div class=\"post-content\" data-v-5a136f3a>If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. A total of four flash loan-enabled exploits were registered in the span of one week (one of them actually h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ened the week before, but nobody noticed until later).<\/p>\n<p>We have, in order, Cheese Bank with a $3.3-million theft, Akropolis with its $2-million loss, Value DeFi with a whopping $6-million exploit, and finally Origin Protocol\u2019s loss of $7 million.<\/p>\n<p>In total the hackers stole $18.3 million, which admittedly is not that much \u2014 less than the one October exploit of Harvest Finance.<\/p>\n<p>As always, the most common comments on the subject are \u201cwere they audited?\u201d and \u201cflash loans are bad.\u201d\u00a0Now, in terms of auditing, I was able to find reports for all of them except Cheese Bank (maybe it was reviewed, it\u2019s just not im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely obvious).<\/p>\n<p>I feel like a broken record by now, but people really need to understand that audits are always going to be limited in their effectiveness. Security companies just don\u2019t have enough eyes and enough time to find everything. <\/p>\n<p>If you want to point at something, I\u2019d focus on the fact that none of these except for Akropolis had an immediately discoverable bug bounty. Even then, given how easy it is to steal money in crypto, these projects should be far more competitive with their payments than any other sector. Audits, which apparently run for more than $200,000 if you want premium quality, don\u2019t seem like the most efficient use of money.<\/p>\n<p>Obviously, bounties won\u2019t suddenly turn blackhat hackers into upstanding citizens, but it may change the life of some poor kid who does this for a living and decides to scan your protocol for his lottery ticket. They\u2019d be more than happy to receive $100,000 and have a clean con<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/sciencee\/\" data-internallinksmanager029f6b8e52c=\"5\" title=\"Science\" target=\"_blank\" rel=\"noopener\">science<\/a> while saving you millions of dollars down the line.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Flash_loans_are_tough_but_fair\"><\/span>Flash loans are tough, but fair<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As for flash loans, I think they\u2019re the greatest tool for increasing DeFi market efficiency that we have at the moment. Their intended usage is to arbitrage various assets across protocols \u2014 buy low on Uniswap, sell high on SushiSwap, all without committing your own capital. They\u2019re also useful to quickly unwind your positions on lending protocols, and I\u2019m sure there are other uses. In short, they\u2019re pretty great.<\/p>\n<p>And yes, flash loans do make hacks simpler. But note that anything that can be done with a flash loan can also be done with a large pile of cash. Hackers may not be that wealthy in <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>, but it\u2019s actually better for the ecosystem to weed out weak implementations and protocols before it grows to accommodate a billion-dollar hack.<\/p>\n<p>It\u2019s definitely painful to be on the receiving end of a hack, but it\u2019s also a known risk that should be managed. Sometimes it may just be bad luck, but that explanation should only be used when every possible mitigation strategy has been exhausted. I hope each protocol that gets hacked takes steps to ensure it never happens again. Otherwise, the hacks will continue until security improves, or until the protocol is dead.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/p>\n<h2><span class=\"ez-toc-section\" id=\"DEXs_fight_over_the_crumbs_left_by_Uniswap\"><\/span>DEXs fight over the crumbs left by Uniswap<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Uniswap, at one point the largest protocol by total value locked with $3 billion, predictably lost more than half of it just as soon as it stopped printing UNI rewards for its Ether pools.<\/p>\n<p>Most of that made its way to SushiSwap, which went from about $200 million to $1 billion in TVL. Cheekily, the project shifted its yield farming incentives to the same pools used by Uniswap just one day before expiry.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2020-11\/a1abbd08-0716-401c-bcd5-c27c88ae2ef2.png\"><\/figure>\n<p>Then Bancor stepped up by launching its own liquidity mining program, followed by Mooniswap today. The latter two seem to be having modest results, adding maybe $10 million each so far.<\/p>\n<p>So we\u2019re definitely seeing some pretty aggressive competition in that space, powered by a lot of token printing.<\/p>\n<p>But my thesis from last week appears to be mostly correct \u2014 Uniswap doesn&#8217;t care. $1.3 billion with absolutely no subsidies is a pretty amazing result. It\u2019s more than six times higher than before this whole yield-farming season started. Volume is also remaining stable. <\/p>\n<p>Uniswap\u2019s fortunes could, of course, change in the future as the market continues readjusting. Either way, I think this is both a good and bad sign for the future. On one hand, we\u2019re seeing pretty clear long-term stickiness after yield farming \u2014 proving that it\u2019s at least somewhat successful at generating organic interest.<\/p>\n<p>On the other hand, we\u2019re seeing that yield farming is somewhat successful, so it may remain a long-term staple of the DeFi world. The concept does have merits, but this summer showed that people often don\u2019t understand what they\u2019re getting into.<\/p>\n<p>As a heads-up, any time a DeFi protocol\u2019s token can be staked to receive more of the same tokens, that\u2019s a very clear Ponzi-like dynamic. It\u2019s a dangerous <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/game\/\" data-internallinksmanager029f6b8e52c=\"7\" title=\"Game\" target=\"_blank\" rel=\"noopener\">game<\/a> to play, just ask people who bought SUSHI at $11. You could argue that Ethereum 2.0 staking is the same, apparently disproving my thesis. The difference is that the much saner yields avoid the huge boom-and-bust cycles typical of many DeFi \u201cfair launches.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Maker_liquidators_are_%E2%80%98slacking_off\"><\/span>Maker liquidators are \u2018slacking off\u2019<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Another issue pointed out this week was the fact that Maker\u2019s keepers \u2014 the agents responsible for liquidating bad debt \u2014 turned out to be completely avoiding small undercollateralized loans. It appears that opening a vault for $100 is just so uninteresting to them that they will ignore it even if it falls below the safety threshold that would let them liquidate it.<\/p>\n<p>It\u2019s fairly easy to see why. Liquidators would get a discount of maybe 5%, so their theoretical profit is just $5, easily eaten by gas fees. <\/p>\n<p>Opening thousands of small vaults is not that expensive and could result in a dangerous vulnerability for Maker. Rational keepers would never liquidate this debt, especially if it were left to rot and decisively fall below the 100% collateralization threshold.<\/p>\n<p>That would create unbacked Dai in a manner very similar to Black Thursday.\u00a0I\u2019m sure that in practice, some stakeholders would act altruistically to liquidate debt at a loss before it\u2019s too late. Plus, the system is designed to be bailed out in these situations, as we\u2019ve seen with the MKR auctions after the incident earlier in the year.<\/p>\n<p>But this and the flash-loan vulnerability from a few weeks earlier signal that there is some trouble in paradise. For example, one of the reasons why the community refused to compensate victims of Black Thursday is that it was seen as a failure of the market, not the auction system.<\/p>\n<p>That makes sense, but this latest discovery jolted the community to patch up the issue while waiting for a slight redesign of the auction system. That betrays a certain cognitive dissonance \u2014 they say the system \u201cworked fine\u201d earlier, and yet now it needs to be changed up due to a similar market failure.<\/p>\n<p>Personally, I find Maker governance fascinating and unique among its peers. They\u2019ve had to deal with some very tough choices this year that go well beyond tweaking arbitrary collateral parameters. <\/p>\n<p>I don\u2019t really agree with some of those choices. I definitely feel that the decision not to refund Black Thursday victims was short-sighted, though perhaps it was the product of mutual distrust given the class-action lawsuit hanging over their head. <\/p>\n<p>But that is human nature, and I expect that DeFi governance will eventually go through many of the lessons that history served us. Some people have high hopes for DeFi governance to reshape societies just because it\u2019s \u201cdecentralized.\u201d I hope that will be the case, but so far I\u2019m just seeing your run-of-the-mill politics, complete with vested interests, propaganda and deflection.<\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener noreferrer\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/finance-redefined-you-get-hacked-they-get-hacked-everyone-gets-hacked-nov-11-18\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11-18 &#8221; If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. A total of four flash loan-enabled exploits were registered in the span of one week (one of them actually happened the week before,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":115412,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2020-11\/4af989f3-8101-4aa9-a3c6-479d46c7132e.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74868,74891,74882,76700,4965],"class_list":["post-115411","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-defi","tag-ethereum","tag-hacks","tag-makerdao","tag-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/115411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=115411"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/115411\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/115412"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=115411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=115411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=115411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}