'A New Class of Attack' In Crypto Is 'Actively Exploited' - Research
The crypto market went through one of its wildest rides with the March market crash, among other events seeing a so-called "zero-bid" attack on MakerDAO, a decentralized lending facility built on the Ethereum (ETH) blockchain and the creator of the DAI stablecoin. A recent research, however, found a possible explanation behind the attack, putting a spotlight on the relevance of mempools and consequences of not monitoring their vulnerabilities carefully.
"Cryptolawyers take note--new fodder for your force majeure / material adverse exception event type contract clauses. [C]ryptoclients take note - does your lawyer know the ways a blockchain can screw up & leave you with unhappy potential litigants?," wrote today attorney Gabriel Shapiro.
Dan Elitzer, an investor at IDEO CoLab Venutures, stressed that the report contains "strong evidence of a new class of attack that all DeFi users (in fact, all blockchain users) will need to be aware of."
Meanwhile, commenters are calling for higher liability of each individual part of the crypto ecosystem.
As reported in April, the Maker Foundation faced a proposed class-action lawsuit by investors, claiming that it "intentionally and fraudulently" misrepresented the risks of the MakerDAO protocol to investors, as well as that some investors suffered a 100% collateral loss on Black Thursday.
These comments came today as a reaction to a report by blockchain transaction manager Blocknative, which stated that they have "uncovered evidence that the MakerDAO liquidations on March 12 and 13 were an engineered event."
They claimed that the evidence can be found in the mempool, the pre-chain area within the Ethereum ecosystem that miners use to create blocks, stating they captured over 30 million rows of data over the course of the massive crash on March 12, known as Black Thursday. What they found are "several 'vulnerabilities' that appear to have been exploited."
The report listed three major contributing mempool factors to the events on March 12 and 13:
- Stuck Transactions — mempool congestion significantly increased stuck transaction rates, blocking subsequent transactions from the same address.
- Mempool 'Compression' — a reduction in the marketable portion of the mempool (transactions with sufficient gas to be considered by miners), which can bias gas price estimates.
- 'Hammerbots' — automated transaction systems that magnified congestion, and therefore compounded mempool compression.
One of the consequences of this congestion were the now notorious 'zero bid auctions' on liquidated MakerDAO CDPs (Collateralized Debt Positions). These factors led to auctions (forced liquidation of large number of undercollateralized CDPs) to get stuck, essentially blocking the market participants and bots from participating in the 10-minute auction window and allowing the zero bid transactions to win out. 37% of liquidation auctions connected to Black Thursday were won by zero bids, resulting in the loss of USD 8.32 million in aggregated locked CDP value.
"The mempool is a critical – yet ephemeral and often overlooked – element of the blockchain ecosystem," the report stated, adding:
"At this stage, we do not know how often techniques like these are exploited in the wild – only that they appear to be actively exploited. And we do not know how many related exploits exist – only that sophisticated exploits appear to have been demonstrated to be effective in the real-world."
Blocknative, therefore, provided certain recommendations for all exchanges, protocols, wallet providers, and traders:
8/14— Blocknative (@blocknative) July 22, 2020
How can you protect against mempool vulnerabilities?
1 Monitor mempool conditions
2 Understand TX nonce ordering
3 Watch for stuck transactions
4 Calculate gas prices based on the marketable portion of the mempool
5 Do not assume predictable pending transaction behavior