If people really used insurance confronting hacks, this week would definitely accept bankrupted a groovy many insurers. In the bridge of one calendar week, a total of four flash loan-enabled exploits were registered (i actually happened the calendar week before, but wasn't noticed until later).

We accept, in gild, Cheese Bank with a $3.3 meg theft, Akropolis with its $2 meg loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol's loss of $vii one thousand thousand.

In total, the hackers stole $xviii.3 million, which admittedly, is not that much — less than the single Oct exploit of Harvest Finance.

Equally always, the well-nigh common comments on the subject are "were they audited?" and "flash loans are bad." Now, in terms of auditing, I was able to find reports for all of them except Cheese Bank (perhaps it was reviewed, it's just non immediately obvious).

I experience like a cleaved record by now, but people actually need to sympathize that audits are always going to exist limited in their effectiveness. Security companies but don't have plenty optics and enough time to notice everything.

If you want to point at something, I'd focus on the fact that none of these except for Akropolis had an immediately discoverable bug bounty. Fifty-fifty then, given how like shooting fish in a barrel it is to steal money in crypto, these projects should be far more competitive with their payments than any other sector. Audits, which apparently run for more than $200,000 if you want premium quality, don't seem similar the most efficient employ of money.

Obviously, bounties won't suddenly turn blackhat hackers into upstanding citizens, but it may change the life of some poor kid who does this for a living and decides to scan your protocol for his lottery ticket. They'd be more than happy to receive $100,000 and take a clean conscience while saving yous millions of dollars down the line.

Flash loans are tough, simply fair

Equally for wink loans, I think they're the greatest tool for increasing DeFi marketplace efficiency that we have at the moment. Their intended usage is to arbitrage diverse avails across protocols — buy low on Uniswap, sell loftier on SushiSwap, all without committing your own capital. They're also useful to quickly unwind your positions on lending protocols, and I'm sure there are other uses. In short, they're pretty great.

And yep, flash loans do make hacks simpler. Merely note that anything that can be washed with a flash loan can as well be done with a big pile of cash. Hackers may not be that wealthy in full general, but information technology'south really better for the ecosystem to weed out weak implementations and protocols before it grows to conform a billion-dollar hack.

It's definitely painful to exist on the receiving end of a hack, merely it's as well a known risk that should be managed. Sometimes information technology may just be bad luck, only that caption should but be used when every possible mitigation strategy has been exhausted. I hope each protocol that gets hacked takes steps to ensure it never happens again. Otherwise, the hacks will continue until security improves, or until the protocol is dead.

DEXs fight over the crumbs left by Uniswap

Uniswap, at one point the largest protocol past total value locked with $3 billion, predictably lost more than one-half of it just as soon as it stopped printing UNI rewards for its Ether pools.

Virtually of that made its way to SushiSwap, which went from most $200 meg to $one billion in TVL. Cheekily, the project shifted its yield-farming incentives to the same pools used past Uniswap only 1 day earlier decease.

Then Bancor stepped up past launching its ain liquidity mining program, followed by Mooniswap today. The latter two seem to be having modest results, adding maybe $10 million each then far.

So we're definitely seeing some pretty aggressive competition in that space, powered by a lot of token press.

But my thesis from last week appears to be mostly right — Uniswap doesn't care. $1.3 billion with absolutely no subsidies is a pretty amazing result. It'south more than half dozen times higher than before this whole yield-farming season started. Volume is besides remaining stable.

Uniswap'south fortunes could, of class, change in the hereafter every bit the market continues readjusting. Either way, I think this is both a skilful and bad sign for the future. On ane paw, we're seeing pretty articulate long-term stickiness subsequently yield farming — proving that it'southward at least somewhat successful at generating organic interest.

On the other mitt, we're seeing that yield farming is somewhat successful, so information technology may remain a long-term staple of the DeFi earth. The concept does have claim, but this summer showed that people often don't understand what they're getting into.

As a heads-up, any time a DeFi protocol's token tin can be staked to receive more than of the same tokens, that's a very clear Ponzi-like dynamic. It's a dangerous game to play, but ask people who bought SUSHI at $11. You could argue that Ethereum ii.0 staking is the same, patently disproving my thesis. The difference is that the much saner yields avoid the huge boom-and-bust cycles typical of many DeFi "off-white launches."

Maker liquidators are 'slacking off'

Another consequence pointed out this week was the fact that Maker's keepers — the agents responsible for liquidating bad debt — turned out to be completely avoiding pocket-sized, undercollateralized loans. It appears that opening a vault for $100 is only and then uninteresting to them that they will ignore it even if it falls beneath the safety threshold that would let them liquidate it.

It's fairly easy to see why. Liquidators would get a discount of maybe v%, then their theoretical profit is just $v, easily eaten by gas fees.

Opening thousands of small vaults is non that expensive and could result in a unsafe vulnerability for Maker. Rational keepers would never liquidate this debt, especially if it were left to rot and decisively fall below the 100% collateralization threshold.

That would create unbacked Dai in a manner very like to Black Thursday. I'g sure that in practice, some stakeholders would act altruistically to liquidate debt at a loss earlier it's too late. Plus, the organisation is designed to exist bailed out in these situations, equally nosotros've seen with the MKR auctions after the incident before in the yr.

But this and the flash-loan vulnerability from a few weeks earlier signal that there is some trouble in paradise. For instance, one of the reasons why the community refused to compensate victims of Black Thursday is that information technology was seen equally a failure of the market, not the auction arrangement.

That makes sense, but this latest discovery jolted the community to patch up the consequence while waiting for a slight redesign of the auction system. That betrays a certain cognitive dissonance — they say the system "worked fine" earlier, and still now it needs to be changed upward due to a similar market failure.

Personally, I observe Maker governance fascinating and unique among its peers. They've had to bargain with some very tough choices this year that go well across tweaking arbitrary collateral parameters.

I don't actually hold with some of those choices. I definitely experience that the decision non to refund Black Thursday victims was short-sighted, though perhaps it was the product of common distrust given the class-action lawsuit hanging over their head.

Merely that is human being nature, and I expect that DeFi governance volition eventually go through many of the lessons that history has served us. Some people accept high hopes for DeFi governance to reshape societies only because it's "decentralized." I hope that volition be the case, merely so far I'm merely seeing your run-of-the-manufactory politics, complete with vested interests, propaganda and deflection.