The rise of DeFi Scams and Flash Loans

Eggplant Crypto • DEX
5 min readJun 24, 2021

Decentralized Finance (DeFi), the final frontier of crypto, deep deep in the wild west where everything is dependent on poorly understood (by the general public) smart contracts developed by doxxed to fully anonymous devs.

The following article is a review of smart contract exploitations that have been popping up more and more frequently across the DeFi space

At Eggplant we take these exploits very seriously and are doing everything possible to make sure nothing of the sort happens on our exchange. To help instill investor confidence we will be taking a look at a few different protocols, why they happened (in layman terms), and what team Eggplant has done to avoid them.

The most recent exploits have been especially brutal with the first known as a “Flash Loan attack” and the second (which happened very recently) that we will formally refer to as the “Transfer fee token” exploit.

If you would like an extremely detailed technical explanation, I would suggest referring to the below articles.

Flash loan exploit in-depth article: https://coinmarketcap.com/alexandria/article/what-are-flash-loan-attacks#:~:text=Flash%20loan%20attacks%20are%20a,the%20market%20in%20their%20favor.

Transfer fee token exploit deep dive: https://thoreum-finance.medium.com/what-exploit-happened-today-for-gocerberus-and-garuda-also-for-lokum-ybear-piggy-caramelswap-3943ee23a39f

Transfer fee token exploit overview:

The entire issue in most DeFi protocols revolves around an important smart contract called the “MasterChef”. The MasterChef usually handles reward distributions on a DEX. This smart contract has been copied over countless times from other DeFi protocols with often no or very slight modifications. This would be fine, but when protocols try to do something new such as in GoCerberus’s case this can and will result in ‘bugs’ which can be exploited by opportunists who find the issue. The ‘bug’ then multiplies (as we have seen) to other exchanges who are all clones of each other.

This is why on June 16th the “transfer fee token exploit” spread to multiple other exchanges beyond GoCerberus such as PantherSwap, KetchupSwap, Lokum, YBear, Piggy, CaramelSwap, and Garuda. These were all built using the same MasterChef and other smart contract copy parts. On account of this, they all quickly found their liquidity pools to be drained and token values plummeted to 0.

How did both exploits happen and how will Eggplant avoid this?

As previously stated, the MasterChef contract was designed to distribute rewards for liquidity pool tokens, but many farms also used the MasterChef contract for other types of rewards. When the MasterChef was initially created there were no transaction fees added on to tokens for individual users. However, the newest DeFi trend has been to tack on transaction fees for every transfer, ie. SafeMoon clones.

The MasterChef contract was never designed to handle transaction fee tokens and to compare user balances and pool balances. This is the small change that allowed for hackers to generate more tokens in a single harvest and instantly empty liquidity pools. Hackers could generate thousands of tokens, even if there was only one token in the pool. This happened on all above listed exchanges with transaction fee tokens. Let’s look at the MasterChef code quickly to see how this happened and why it’s impossible on Eggplant DEX.

Delving deeper, the 2 main issues here are the mint function called by MasterChef and how snapshots are taken of the rewards. The mint function is a major cause of flash loan issues and should be seen as a general red flag when looking at DeFi protocols. It essentially enables a token to be “printed”. Allowing this function to be called from within the MasterChef eliminates the deflationary pressure that most cryptocurrencies aspire to have.

We at Eggplant have completely eliminated the mint function from being called by our MasterChef. Eggplant will only use the mint function for initial launch of our ESeed token, our rewards token on Eggplant DEX. After minting it will essentially be non-existent. There is a hard cap on how many “ESeed” will be emitted along with a set time, no more or less. The same basic step down principle as Bitcoin, but accelerated at a faster pace. This scarcity principle will help to create demand overtime and preserve value.

Further, to mitigate flash loans attacks, we have modified the snapshot functionality. Snapshots will be taken every time the liquidity pool balance changes (deposit, harvest, etc.). In the event of a flash loan attack the liquidity pool would only change one block to the next block and then revert back to the original before the flash loan. The maximum reward an attacker could potentially harvest would be equal to less than 0.00001% of total supply.

Below are examples of code copies and MINT function issues.

GoCerberus’s reward minting mechanism when pooling (increases total supply)
GoCerberus minting more Cerberus to payout referrals
Function mint within CAKE and majority of other exchanges. Note the comment stating it increases total supply. This exists within almost every BEP-20 coin
Calling mint in CAKE for pool rewards
PancakeSwap publicly stating there is no hard cap for CAKE

Keep in mind most Binance Smart Chain reward tokens are copied from PancakeSwap’s CAKE.

Eggplant code review:

Stating the total supply, to avoid inflationary tokenomics. Mint function has been eliminated from our farm and ESeed tokenomics, with the exception of its use for initial launch/mint. This function caused GoCerberus’s referral issue and ultimately their full liquidity pool drain.

Function created to mitigate flash loan singular block attacks. Look at farm.sol under farm contract for the entire array code

This article was just a brief overview of major issues that exist in DeFi. At Eggplant we believe it is important to review and understand what you’re putting your hard earned money into BEFORE you do it. We felt it was critical to touch on these issues, not only to raise awareness, but also to show that Eggplant has accounted for and adjusted accordingly to eliminate these protocol ‘bugs’.

If you enjoyed this please ‘clap’ this article, share it to spread awareness, and if you any have further questions regarding our DEX and/or any contract related to it, feel free to join our telegram and ask! A dev/team member will get back to you.

Telegram: https://t.me/eggplantdex
Twitter:
https://twitter.com/eggplantdex
Website:
https://www.eggplantcrypto.com
Eggplant DEX:
http://dex.eggplantcrypto.com

--

--

Eggplant Crypto • DEX

Eggplant Crypto, a deflationary token on the Binance Smart Chain. Earn high yields by providing liquidity and by staking on Eggplant DEX.