Andrew "Not cool enough for an ETH scam" Glidden - @asglidden7 months ago
RT @HectorRosekrans: Everything here worked the way it was supposed to, except the contract lost money
The creators could say: “well that was dumb, let’s be more careful next time”
Instead, they whine to Coindesk, which is how you get regulation, and destroy the one thing DeFi has going for it https://t.co/RRlgKYohs5
There has been and there is going to be a lot of stuff calling it a hack and/or a sophisticated attack but personally I would say it's neither, it's just some substandard security practises whilst being really out there in terms of 'pushing the boundaries' of what is available on DeFi.
This is primarily to do with a lack of liquidity in the numerous DEXes and similar services. If they just used 1+n price feeds it becomes very crudely nX more expensive to cause the equivalent slippage on each of them (depending on the liquidity on each so the above is very crude) whilst adding more inefficiencies to the exploit.
Another trivial solution is to just limit the maximum amount that can be traded at once. Much like how a sensible gambling site will have a known max bet/max win such that someone can't empty their bankroll just by using their system..
This whole situation is on the 'other side of the coin' where uniswap warns you if you're about to cause a huge price slip because you're making too big of a trade on an iliquid market, but of course here that is the desired effect.
I think a lot of it will come down to how people define hack, whether it is exploiting a vulnerability in the code or manipulating a system to do something else.
In this case though, it isn't a vulnerability in the code, and whilst it is manipulating a system it isn't doing anything that initially breaks the rules of the system, eg it's not creating some kind of overflow or underflow. Instead it is the fact that certain parameters could be used to achieve something that wasn't intended to be possible, and could have definitely been designed out.
I think it's just one of those reminders for everyone that smart contracts are not at all smart and if implemented wrong will be exploited because they are completely public and accessible by everyone. This sort of thing is always bound to happen and will lead to better practises in the future, it is just obviously a shame that people lose out on the way.