Produced | NEST Fans (nestfans.com)Produced | NEST Fans (nestfans.com)Introduction: Regarding the security issues of DeFi, from February 2020 to the present, hundreds of millions of dollars have been lost. Various experts have written countless articles to analyze the risks of DeFi Lego. Until now, such issues have not attracted the attention of developers. In an environment where the market continues to be frenzied and the scale of lockups continues to increase, people seem to have forgotten that the hidden danger buried deep in the land of Carnival has not disappeared...The once king of DeFi, the YFI protocol, was not spared
The first lightning loan attack in 2021 happened to the DeFi king in 2020——Yearn Finance protocol. There is no insight into the state of mind of the "attacker". Here, let's take a look at what happened.
According to the intelligence of SlowMist Technology, the DAI policy pool of the Yearn Finance protocol was attacked, and the details are as follows:1. The attacker first borrows a large amount of ETH from dYdX and AAVE using flash loans2. The attacker uses the ETH lent from step 1 to lend DAI and USDC in Compound3. The attacker deposits all the USDC and most of the DAI in the second step into the Curve DAI/USDC/USDT pool. At this time, due to the huge liquidity of the deposit, the attacker has actually controlled the Curve DAI/USDC/USDT pool. most liquidity4. The attacker withdraws a certain amount of USDT from the Curve pool, which makes the ratio of DAI/USDT/USDC unbalanced, and DAI/ (USDT&USDC) depreciates5. In step 3, the attacker recharges the remaining DAI into the yearn DAI strategy pool, and then calls the earn function of the yearn DAI strategy pool to transfer the recharged DAI to the Curve DAI/USDT/USDC pool at an unbalanced ratio. The DAI strategy pool will receive a certain amount of 3CRV tokens6. The attacker re-deposits the USDT taken in step 4 into the Curve DAI/USDT/USDC pool to restore the ratio of DAI/USDT/USDC7. The attacker triggers the withdraw function of the yearn DAI strategy pool. Since the yearn DAI strategy pool was deposited with an unbalanced ratio, the normal ratio is now used for withdrawal, and the proportion of DAI in the pool increases, resulting in the same number of 3CRV generation The amount of DAI that can be retrieved is reduced. These less withdrawn tokens remain in the Curve DAI/USDC/USDT pool8. Since the attacker already held most of the liquidity in the Curve DAI/USDC/USDT pool in step 3, most of the DAI that the yearn DAI policy pool failed to retrieve was distributed to the attacker9. Repeat steps 3-8 above 5 times and return the flash loan to complete the profitThe attacker used flash loans to carry out this circular arbitrage, causing Yearn Finance to lose tens of millions of dollars!The root cause is not flash loans, but a fragile price mechanism
The combination between YFI and Curve uses the different net values of LPs to calculate shares, and determines the price through the shares in the pool. This is a typical price manipulation!We regard the current DeFi agreements as various countries, each country formulates different policy rules, and merchants use the combination of policy rules to find breakthroughs to obtain interest rate differentials. This is to earn a reasonable profit aboveboard, and the attacker cannot be blamed, because your mechanism tells others how to manipulate my price for arbitrage.The problems exposed behind the price manipulation are the directions that we should think about and study more.Today's DeFi protocol developers often put speed and efficiency first, and turn a deaf ear to the essence of the blockchain. Everyone seeks speed and is unwilling to solve the root of the essential problem. Because almost everyone is doing it, turning a blind eye.The design of Bitcoin is to allow all nodes to verify the transaction being broadcast together, and only the broadcast that everyone agrees to is counted. It itself is a redundant complex system. Bitcoin is not intended to innovate in terms of "usability", but to provide a perfect solution in terms of "credibility", which solves the problems in the process of decentralization. Security Question. The larger the computing power scale of the Bitcoin network, the more secure the network, but the efficiency of its transaction processing has not improved.If a price mechanism can be simply determined by uploading the so-called "trusted" nodes to the chain or through LP shares, and the DeFi protocol or users using this price cannot effectively verify your price without permission, Then the price you give is what you say, not the price that has been agreed upon, and it is not what everyone agrees on together; furthermore, the safety factor of the on-chain economy based on this price system will inevitably not change with the scale. enhanced by expansion. To put it simply, this runs counter to the essence of the blockchain, chasing after the end.A firm road to decentralization
NEST Protocol insists on synchronously generating on-chain prices that do not require permission and can be verified by anyone without arbitrage space for calls by DeFi protocols. The quality will also be improved simultaneously. This is the basic attribute that a non-cooperative game system should show, and it can be accumulated in the game.In an efficient market, the game between quotation miners, the game between quotation miners and verifiers, and the game between the agreement and the secondary market, the on-chain price generated by the multi-dimensional non-cooperative game is what we should go for. The root of security in pursuit.Adhering to the essence of the blockchain and strengthening the spirit of decentralization is the first criterion for the development of the blockchain industry. 
IOS
Android