DeFi hacks are common occurrences, and an app called Mango was attacked recently. What happened: the protocol allows you to borrow against your unrealized profits, so the attacker grossly inflated the price of his long MNGO position through manipulative trading, then drained $115M against the unrealized gains, destroying the app's lending pools.
The hacker offered some mental gymnastics on why it wasn’t a hack, but a “highly profitable trading strategy”. If this event occurred in TradFi markets, it’d be a crime.
There have been a myriad of attacks that do some variation of this. The most common attack is when the attacker takes out a flashloan to manipulate a price to deceive an oracle, then sends transactions that extract resources that are only possible due to the inflated oracle price.
Most DeFi hacks follow this pattern:
- Hacker manipulates the price of a token
- Hacker drains funds from the Dapp
- Hacker concludes the attack, and the manipulated price usually drastically plummets
We correctly recognize this as malicious.
What is the gray area, if any, between a hack and a “code is law” trading strategy? The following arguments present a moral framework and logic-based argument for what constitutes an attack and warrants punishment, not a legal one. This isn’t legal analysis.
The Mango attacker didn’t use a flashloan, he used his own money; which was enough to accomplish his goal. And he didn’t deceive an oracle. If he used a flashloan to contort an oracle so he could drain the lending pool, does that make it more of a hack? Why? Either way, you created a fake price that allowed you to drain resources in both scenarios; this should be the litmus test.
I think it’s really this simple: did you take an action to create a fake, manipulated price that then allowed you to extract resources? Was this consistent with the intent of the system? Yes or no? I don’t think this is a reductionist take; some things do not require nuance.
To define a “fake” price: one that happens purely as a result of an attacker’s activities that allows resources to be drained from the protocol while the price is distorted. The asset then immediately reverts back to its previous price, or a much lower one if the attack crushes the app. You could also say a fake price is produced via trading behavior that would be irrational to a “normal trading participant”. For example, a normal trader would try to minimize slippage, whereas a hacker often tries to do the opposite or is totally indifferent. Irrational trading actions are the smoking barrel of identifying market manipulation when the SEC investigates it.
Taking this a step further, why isn’t a short squeeze an attack? It checks many of the boxes of my simple litmus test on what constitutes an attack in DeFi.
A short squeeze doesn’t feel intuitively wrong like the DeFi hacks do. I reflected on why. Is it because we’ve been conditioned to accept this action as normal and not something that should be stopped, so we accept it unthinkingly?
I believe there are core differences that we recognize implicitly that separate a short squeeze price distortion from an attack.
1. The collective market force alters the price. Not just one person. A market clearing price is created in a short squeeze by a diverse collective of participants, not an individual or small group of people. Often these short squeezes occur in companies whose price has been artificially driven down from excessive shorting (even naked shorting); this creates a disequilibrium, and an artificially low price to begin with. Eventually, there must be a reversion to the mean, and this typically results in an over-correction in the other direction. No one said price discovery shouldn’t be volatile, and may get overextended in either direction. This is a violent form of collective price discovery.
2. The method of facilitating the price movement is well-known to everyone. When these attacks happen in DeFi, it’s almost always carried out by a gigabrain leveraging esoteric understanding of smart contract behavior to anonymously steal from an application. It’s quite likely the attacker is literally the only person alive that’s aware of the exploit when it happens. Obviously, this is not public knowledge of a risk. It’s fine to be brighter than everyone else and out-trade them, in fact the SEC explicitly says it’s okay to be smarter than your counterparties. However exploiting an unknown error in code and extracting resources against the intended design of a system is not the same thing as mastering a financial instrument that’s working as designed and outsmarting fellow traders.
This is not the case with short squeezes. In fact, as short interest builds it’s very well-known that the propensity for volatile shakeouts to the upside increases. Hedge funds who had short positions in GameStop saw the short interest of over 100%; they knew exactly what they were doing and that it could blow up in their faces. The decision to be bearish in a highly shorted name is a calculated risk. The DeFi user in a yield-farming app that has someone steal all his money by manipulating it against its intended design is not making the same decision with the same information as the investor who holds his short position in a liquid and efficient stock market.
I’m not calling for more regulation. The laws we have now work just fine. “Code is law” is an ideological chant made by those who think the metaverse is real life and don’t understand there’s plenty of precedence in a courtroom that this is not how the world works. I don’t think it’s how it should work either. People are fallible, ergo so is code; because a crafty person found a mistake does not entitle him to all your money.
The goal here is a logical framework and assessment of what risks are being knowingly taken and what actions attempt to hide behind self-serving semantic gray area. These hacks are clearly attacks, and they’re wrong both legally and ethically. We should address them as such.
Follow at @BackTheBunny
Check out another popular post --> Crypto, Dollars, Gold, and Layer 4 Money