'Flash Loans' Have Made Their Way to Manipulating Protocol Elections

Flash loans can be used for more than just siphoning funds out of poorly put-together decentralized finance (DeFi) protocols.

That’s one lesson investors can learn from Israel-based startup BProtocol’s manipulation of flash loans to sway election results on DeFi legacy project MakerDAO earlier this week.

According to the MakerDAO community forum, on October 26, BProtocol borrowed 13,000 MKR tokens worth some $7 million through a flash loan from derivatives platform dYdX swapped for MKR on lending platform Aave. Voting with the flash-loaned MKR tokens enabled BProtocol to speed up desired election results for its project built on MakerDAO.

The “attack” was less an attack than yet another unexpected consequence of flash loans, a crypto-first product that made its debut in early 2020 with DeFi platform Aave.

Read more: Everything You Ever Wanted to Know About the DeFi ‘Flash Loan’ Attack

Flash loans enable an in-the-know trader to amass mad leverage behind a trade by providing a temporary loan that must execute and settle in one block space. Here – and perhaps for the first time – BProtocol borrowed millions of MKR tokens to sway a protocol election and hand back the money in one block.

Other DeFi degens have used flash loans to perform what is commonly known as an oracle attack. In these situations a project’s funds are at risk due to poor project infrastructure – typically, shoddy pricing feeds. This happened last Sunday with $1 billion protocol Harvest Finance, which had prices for its stablecoin pools swayed by a flash loan, resulting in a haircut for Harvest traders.

Flash votes

The ability to use flash loans to exploit governance events is fairly new, however. Holders of MakerDAO’s governance token typically decide how the platform changes.

But here BProtocol showed that if there are enough MKR tokens up for borrowing on DeFi markets, a flash loan can be used by just about anyone to sway Maker’s election results. All someone needs to do is wait to be last in line at the ballot and drop in the borrowed tokens, BProtocol CEO Yaron Velner said in a WhatsApp call.

Velner added he thinks the Maker Foundation was aware of the unlocked door BProtocol went through with its flash loan, and that the outcome of the vote would have likely been the same.

He said the team had been waiting extra days to be whitelisted for using MakerDAO’s pricing oracles and had become “curious” after months of studying Maker’s infrastructure to see if the flash loan was possible. So they decided to play a bit.

Read more: MakerDAO’s Embrace of Centralized Stablecoins Offers Risks and Rewards

Now MakerDAO community members and the Maker Foundation are considering options for “disincentivizing large MKR Holders from providing MKR Liquidity on Lending Platforms and AMM Platforms” until MakerDAO can blacklist votes using flash loans, according to the MakerDAO forum.

In lieu of comment, the Maker Foundation pointed CoinDesk to a community forum discussion from October 6 on limiting the use of flash loans for governance procedures.