If you type “flash” into the search box on good ol’ Web3 Is Going Just Great, it’s very likely that you’ll get a lot of hits; at the moment there are nearly a dozen just in the last two months.
I haven’t studied these all in detail, but I think I can outline a representative flash-loan attack in enough detail and generality to be instructive and/or amusing.
Consider this small recipe, embodied as a piece of code:
- For a small fee, borrow a jillion FooCoins for a very small period of time, like the time that this program will take to run.
- Use those FooCoins to purchase 51% of the FooAdmin coins that determine who gets to vote on actions of the FooDAO (Distributed Autonomous Organization).
- Having control of the FooDAO, transfer all of the five-jillion FooCoins owned by the DAO to yourself.
- Sell the FooAdmin coins purchased in (2), for some amount of FooCoins, probably less than a jillion, maybe zero, I’m not clear on this part, see below.
- Pay back the jillion FooCoins borrowed in (1).
- Make off with a net profit of four-jillion FooCoins, minus the small fee in (1), plus the possible proceeds from selling the empty husk in (4).
One interesting fact about this is that every step appears to be using some feature of the overall system exactly as it was intended to be used: there are no stolen passwords, no impersonation, no stack overflows. Prosecutions or lawsuits seem relatively unlikely; it would be interesting to see how one goes!
Another interesting fact about this is that it’s basically the way that Mitt Romney and other “Vulture Capitalists” got rich: find a company whose assets are worth more than it would take to buy the company, get a loan, buy the company, sell off the assets, pay off the loan, and profit, leaving an empty husk of a company behind.
Only it’s much, much faster.
People have talked about various ways to keep these things from working:
Flash loans seem bizarre; I don’t know what non-nefarious uses they have. On the other hand, since they are really just programs, it’s unclear how (especially in the Free and Decentralized Web3 World) one would prevent people from creating them, in order to profit by supplying services to even nefarious uses.
It’s also not clear to me that the DAO administrative coins should just be sitting around for sale to anyone with enough money; given what they do, perhaps one would like actual human judgment involved. On the other hand, that also goes against the basic Code Is Law And Everything Is For Sale principles of Web3.
Perhaps, even if flash loans have to be allowed and buying DAO administrative coins has to be allowed, maybe they shouldn’t be allowed to intersect. In the traditional market, you aren’t supposed to buy big things like cars and houses (and down-payments on loans) using borrowed money, to prevent this sort of privilege-amplification via cash. That seems like it would be hard to enforce without significant additions to the relevant protocols; like, a FooCoin would have to remember that it’s borrowed and will need to be paid back, and who wants to clutter up the free simple Web3 world with stuff like that?
Perhaps someone should have to have owned a DAO administrative coin for more than a millisecond before they can vote the share that it represents. A few days maybe even. I think this is being seriously considered by some DAOists. (Haha “DAOists”; have you read “The Confessions of a Taoist on Wall Street”? Good book, long predating cryptocurrencies.)
Perhaps in general FooDAO shouldn’t own more FooCoins than the value of 51% of the FooAdmin coins that exist. But, as with the traditional companies, it’s not all that unusual for a company to own more assets than the company (or just a controlling interest in it) would cost, it just means that they’ve been accumulating stuff to use to make money by doing whatever the company is in business to do, but haven’t made that money yet. And in the area of DAOs, it’s not clear to me whether it’s perhaps possible to get enough by reselling the husk in step (4) that this isn’t actually necessary anyway. Also there are “liquidity pools” that I should read about sometime.
This here above is a specific type of flash loan attack; the most impressive and amusing kind that I know of. More generally, there are various kinds of flash loans where someone pays a small fee to acquire a jillion FooCoins, uses those FooCoins to play fun lucrative tricks in the market (all the more feasible where liquidity is low, things are generally unstable, unregulated, etc), and then pays back the loan with a fraction of the resulting booty.
So that’s that Fun Idea o’ the Day! :)
Relatedly, the very interesting Legal Eagle YouTube channel / person / lawyer recently had a (what do you call them?) thing called “NFTs are legally problematic“, all about how NFTs are legally problematic, for reasons including the contract and copyright things that we wondered about back in previous posts here in the weblog, and benefiting from actual real legal concepts like “privity of contract”, which says that a contract can’t confer rights or impose obligations on anyone who hasn’t signed it (and which leads us to wonder for instance how someone who uses Opensea to buy some NFT that I’ve put up for sale, can acquire any rights in that, since I’ve never heard of them, let alone signed a contract with them; I dunno).
Anyone interested in the vaguely-legal NFT stuff that I’ve talked about here will probably be interested in that Legal Eagle video. There’s another one, also by Legal Eagle, about the usefulness (or otherwise) of NFTs for creators, and it’s over on Nebula and/or CuriosityStream; here is a link that probably requires some kind of membership in something.
I don’t entirely understand Nebula and/or CuriosityStream (including, clearly, being able to tell them apart), but there seem to be various interesting videos (that’s the word: videos!) on it/them, and various people that I like to listen to (including Legal Eagle and Jordan Herrod I think it is) talk about it/them and seem to be somehow involved, so that’s cool.
I wanted to write about something else, what was it? Oh, right, the objectivity or otherwise of God-based moral systems. That sounds like a different post :) so maybe later.
ceoln 