Ethereum Locked in DeFi Rises, While Flash Loan Holes Are Being Plugged
Due to a recent crypto market crash, Ethereum (ETH) locked in DeFi (decentralized finance) is on the rise, while industry players are fixing the flash loan manipulation problem and MakerDAO raises the governance delay.
In early February, total value locked (TVL) in DeFi surpassed USD 1 billion. It fell back and now, a month later, stands at USD 920.5 million, according to DeFi Pulse. It has been dropping to this value since March 7, when the TLV recorded was USD 1.032 billion
ETH locked in DeFi has been rising in that same period. After an 8% drop between February 10 and February 22, there was a gradual rise, followed by a 4.7% jump, from c. ETH 2.8 million on March 7 to more than ETH 3 million today, before moving below this threshold again.
Source: Defi Pulse
Source: Defi Pulse
"ETH price going down: people need to put more ETH in as collateral, collateral counts for less TVL in USD," Martin Köppelmann, CEO and Co-Founder of a prediction market platform built as a decentralized application (dapp), Gnosis, told Cryptonews.com.
Meanwhile, Mariano Conti, Head of Smart Contracts at the Maker Foundation, added that "at least from the Maker side, it’s normal when ETH drops in price for people to either lock up more ETH in their vaults or pay off their debt, because when the price drops they’re closer to liquidation," he said, adding: "Still with the price drop TVL can still be down."
The market itself has turned green today. However, ETH is the worst performer among the top 10 coins by market capitalization. At pixel time (14:00 UTC), it trades at c. USD 203 and is up 0.5% in a day, while other top coins surged 2%-4% and tezos (XTZ) rallied 11%.
Hurrying to plug the holes
Ethereum seems to be discovering many new things in this young industry, including its own vulnerabilities.
We’ve lately seen instances of flash loan exploits whereby, as explained, a proficient trader exploit a weakness in this system that allows borrowing funds without any collateral, but with paying the loan back within a single transaction (a single block). In an attempt to put a stop to flash loan manipulations, a DeFi platform based on Ethereum, bZx, has integrated with Chainlink’s decentralized oracle networks.
Their announcement explains that, utilizing these decentralized oracle solution, "each critical price feed of bZx is secured by numerous independent nodes, which collectively source data from over seven independent data aggregators." Therefore, the price oracles gain larger exposure to market-wide price discovery from top liquidity sources, says bZx, creating stronger security barriers, while both the amount of capital and multi-party coordination needed for an attack are "greatly" increased as well.
As reported, bZx was attacked in mid-February, when the company stated that this wasn’t an oracle attack (an oracle is a path via which a blockchain or smart contract interact with external data), but an exploit of a bug in bZx’s flash loans. Furthermore, they said at the time that they were working on "implementing Chainlink oracles as a supplement to the Kyber price feed to provide time-weighted information on price data" and ensuring that Chainlink doesn’t become a central point of failure in their oracle model. Soon after this, another attack occurred, which bZx confirmed was an oracle manipulation attack and a modified version of the original exploit.
In their latest report detailing the vulnerabilities found, attacks, and solutions, bZx claims that the user funds are safe, despite funds having been lost, because "the company and the protocol stakeholders are absorbing the losses." They add: "In total, the principal owed by the attackers’ two overcollateralized loans is 11497.292543653558548193 ETH. Currently, there is 6,095.57 ETH that can be used to finance the interest payments on the principal, delaying realization of the default by the insurance fund." In the next phase of their plan, bZx will supplement the Chainlink price feeds with Band Protocol.
Meanwhile, a potential major loophole in MakerDAO, the Ethereum-based decentralized finance platform, which leaves it vulnerable for an attack, had been exposed last December, prompting the Maker Foundation to respond. They had moved along with the introduction of the Governance Security Module (GSM) into the core protocol and had added a poll to the governance portal for the community to include the GSM in the Executive vote. The point of GSM is to allow MKR token holders to review changes meant to go into the system, and the proposal to raise the governance delay from 0 to 24-hour delay would give more time to the token holders to respond to potential attacks.
The results of the poll were 95.71% for the inclusion, 4.29% against, among 57 unique voters (5.15% participation), but even though the poll to raise the delay had passed, the executive vote hadn’t. "Could have been because of the Holidays," said Conti, "or the fact that once the community was better informed as to why we hadn’t launched with a delay, they decided against voting it in that quickly." However, it was submitted again on February 21, when it did pass. "So there’s is now a 24-hour Governance Delay," concluded Conti.