On December 2, the aBNBc Token (BNB encapsulated asset) contract provided by the encryption infrastructure "Ankr" was attacked due to the infinite casting Token vulnerability. The attacker minted a large amount of aBNBc Token and then sold it, causing the price of aBNBc to almost zero. Many users did not get the news in time to stop their losses.
At the same time, more astute hackers immediately carried out arbitrage, using 10 BNB to exchange for aBNBc, and arbitraging more than 15.5 million US dollars through the borrowing agreement Helio.
1 Ankr attack incident review
If you review this Ankr attack, you will find that the main actors who made huge profits are divided into two roles:
One is the most direct way: hackers directly exploit the contract loopholes to mint a large amount of aBNBc out of thin air and make profits by smashing the market;
The second is that some on-chain users with a keen sense of smell took advantage of the sharp fluctuations in the aBNBc secondary market price and used the bug of the oracle machine to feed the price in a timely manner to mortgage arbitrage in the loan agreement (it is not excluded that it was the attacker himself).
First, Ankr may have lost its deployment key, allowing attackers to seize the contract vulnerability and mint 10 trillion aBNBc out of thin air.
The attacker then exchanged aBNBc for 5 million USDC through PancakeSwap, causing the transaction pool to be almost empty and aBNBc to be nearly zero. The attacker then transferred the assets to Ethereum and transferred them to Tornado Cash.
At the same time, about half an hour after the hacker minted the token, aBNBc plummeted, creating an arbitrage opportunity - arbitrageurs used the oracle of the borrowing protocol Helio to feed prices using a 6-hour average overtime weight setting, using aBNBc to trade in the market and The price difference in the Helio system will be exchanged for hBNB, and the hBNB pledge will be exchanged for the stable currency HAY, and it will be exchanged for BNB and USDC.
In total, the arbitrageurs evacuated more than 15 million US dollars worth of stablecoins and BNB, basically emptying hay's trading pair pool, and then transferred the BUSD and BNB to Binance.
From this point of view, the reason why the attackers profit is that Ankr's aBNBc smart contract itself has loopholes, while the reason why the arbitrageurs profit is because the Helio protocol obviously has an oracle price feeding problem, and their keen sense of smell caught this problem immediately Arbitrage opportunities.
Moreover, arbitrageurs (USD 17 million) are obviously more profitable than direct attacks (USD 5 million), so Twitter user rick awsb also said in the review that if the attacker directly uses arbitrage, he will first arbitrage hay's profits. If you sell aBNBc again, you can earn at least $15 million more. Of course, if the hacker and the arbitrageur are the same person, this question can be explained.
2 “Oracle Attack” in the DeFi World
In fact, DeFi losses caused by this kind of "oracle attack" have been common in 2020, and the earliest typical example should be traced back to the bZx protocol (now renamed Ooki).
On February 15, 2020, an attacker also took advantage of bZx’s borrowing and other functions to make full use of DeFi Lego within an Ethereum block time (less than 15 seconds) - between 5 DeFi products (dydx, Compound, bZx, Uniswap, Kyber) made mutual contract calls without using their own funds, and they tightly linked each other, and finally managed to arbitrage thousands of Ethereums by manipulating prices between loopholes.
The entire process occurred during the Ethereum block height 9484688 on February 15, 2020, which is a classic:
The attacker first borrowed 10,000 ETH from dYdX without collateral through Flashloan;
The attacker then pledged 5,500 ETH on Compound and lent 112 WBTC (a Bitcoin-encapsulated asset on the Ethereum chain);
At the same time, the attacker deposited another 1,300 ETH into bZx, initiated a bZx margin transaction, and shorted ETH's perpetual short order 5 times (ETH/wBTC) - borrowed 5,637.6 ETH, and exchanged it to obtain 51.3 WBTC through Kyber's Uniswap reserve. ;
Because the depth of WBTC in Uniswap is relatively too shallow, resulting in huge slippage, the price of WBTC in Uniswap skyrocketed 3 times, significantly deviating from the normal value;
Then, the 112 WBTC lent in step 2 were collectively sold in Uniswap at a price that deviated significantly from the normal value, and 6871.4 ETH were obtained;
In the end, 6871.4 ETH + 3200 ETH (never used) = 10000 ETH (repayment of dYdX loan) + 71.4 ETH (safety), and since wBTC was lowered in step 5, the attacker used approximately 4300 ETH You can exchange 112 wBTC to pay off the 5500 ETH mortgage in step 2, thereby making a net profit of 1200 ETH;
The final profit is 71.4 ETH + 1200 ETH = 1271.4 ETH.
Generally speaking, the routines are the same, they are all targeting oracle machines to attack, thereby taking advantage of the vulnerability of other DeFi protocols that rely on oracle machines to feed prices for arbitrage:
By manipulating the price of WBTC/ETH on Kyber and Uniswap, the attacker took advantage of the vulnerability in bZx that relied solely on the price on Uniswap for price feeds, so that he could sell WBTC at an inflated price that was 3 times higher than the normal value to make a profit.
In a sense, if hackers steal assets from CEX through phishing, credential stuffing and other means, it is considered ill-gotten gains. Similarly, arbitrage through the rules of DeFi can be called making money openly. The methods are clever but undeniable. .
3 "arbitrageurs" who make money
In fact, looking back on the LUNA/UST road to zero in the first half of this year, the same is true. Every time such an attack occurs or the market price is violent, there are always unresponsive chain users who often obtain second-hand and delayed information through the media, Discord, etc. thereby suffering losses.
Of course, there are always users who respond quickly and can learn about it as soon as possible, and then take advantage of oracle vulnerabilities such as delayed price feeds and other oracle machine vulnerabilities, resulting in heavy losses for a group of DeFi protocols such as proxy and DEX, thereby making huge profits.
Venus loses $14.2 million
On May 12 this year, as LUNA/UST entered a negative spiral, Chainlink’s price feedback on LUNA reached the price lower limit and was suspended by it at a price of $0.107.
But at the same time, the LUNA market of Venus, the borrowing protocol on BNB, continues to operate, and its price feed for LUNA comes from Chainlink, which leads to an obvious logical loophole:
The spot price of LUNA continues to fall, but Venus still allows users to perform mortgage lending based on the default LUNA price of $0.107 due to the use of Chainlink’s price feed.
It was not until 4 hours later, when the spot price was about $0.01, that the team discovered the problem and suspended the protocol. However, during this time, users had borrowed money through "oracle attacks", resulting in a capital loss gap of approximately $14.2 million.
Drift Protoco loses $10.4 million
Also on May 12, affected by the violent fluctuations in LUNA prices, the oracle price feed of the Solana ecological perpetual contract protocol Drift Protoco failed to follow the changes in secondary market prices in a timely manner, resulting in users being able to withdraw funds from the collateral library and treasury. Withdrawing more funds than they were entitled to with collateral that was well below normal value, resulting in a $10.4 million loss.
4 Summary
A careful review will reveal that users with high acumen are able to reach the first wave at the very beginning and take profits quickly, which further proves that sensitivity and execution are the basic elements of profit in Web3.
So even if you can’t be a more technical hacker, if you can always maintain a keen sense of smell and decisive execution in the complex information of Web3, be familiar with the basic principles of DeFi, and learn about fleeting crises efficiently and quickly , it is possible to find similar opportunities in the Web3 world.
