You get hacked, they get hacked, everyone gets hacked, Nov. 11-18


If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. A total of four flash loan-enabled exploits were registered in the span of one week (one of them actually happened the week before, but nobody noticed until later).

We have, in order, Cheese Bank with a $3.3-million theft, Akropolis with its $2-million loss, Value DeFi with a whopping $6-million exploit, and finally Origin Protocol’s loss of $7 million.

In total the hackers stole $18.3 million, which admittedly is not that much — less than the one October exploit of Harvest Finance.

As always, the most common comments on the subject are “were they audited?” and “flash loans are bad.” Now, in terms of auditing, I was able to find reports for all of them except Cheese Bank (maybe it was reviewed, it’s just not immediately obvious).

I feel like a broken record by now, but people really need to understand that audits are always going to be limited in their effectiveness. Security companies just don’t have enough eyes and enough time to find everything.

If you want to point at something, I’d focus on the fact that none of these except for Akropolis had an immediately discoverable bug bounty. Even then, given how easy it is to steal money in crypto, these projects should be far more competitive with their payments than any other sector. Audits, which apparently run for more than $200,000 if you want premium quality, don’t seem like the most efficient use of money.

Obviously, bounties won’t suddenly turn blackhat hackers into upstanding citizens, but it may change the life of some poor kid who does this for a living and decides to scan your protocol for his lottery ticket. They’d be more than happy to receive $100,000 and have a clean conscience while saving you millions of dollars down the line.

Flash loans are tough, but fair

As for flash loans, I think they’re the greatest tool for increasing DeFi market efficiency that we have at the moment. Their intended usage is to arbitrage various assets across protocols — buy low on Uniswap, sell high on SushiSwap, all without committing your own capital. They’re also useful to quickly unwind your positions on lending protocols, and I’m sure there are other uses. In short, they’re pretty great.

And yes, flash loans do make hacks simpler. But note that anything that can be done with a flash loan can also be done with a large pile of cash. Hackers may not be that wealthy in general, but it’s actually better for the ecosystem to weed out weak implementations and protocols before it grows to accommodate a billion-dollar hack.

It’s definitely painful to be on the receiving end of a hack, but it’s also a known risk that should be managed. Sometimes it may just be bad luck, but that explanation should only be used when every possible mitigation strategy has been exhausted. I hope each protocol that gets hacked takes steps to ensure it never happens again. Otherwise, the hacks will continue until security improves, or until the protocol is dead.