How bots helped take $8 million from Ethereum’s biggest DeFi app

When the world’s financial markets collapsed on March 12, the Ethereum network’s congestion allowed some of MakerDAO users to buy out over $8 million worth of crypto for free. Today, data firm Blocknative has published a report that suggests an army of bots might be responsible.

And the implications are quite big. The decentralized finance (DeFi) sector has ballooned to over $3 billion locked up in it—money that’s at stake if something goes wrong. And if this strategy is effective, then it could put further applications and more money at risk.

This is “strong evidence of a new class of attack that all DeFi users (in fact, all blockchain users) will need to be aware of,” tweeted Dan Elitzer, a venture capitalist at IDEOVC.

MakerDAO is a novel blockchain project that is responsible for the stablecoin DAI. The DAI stablecoin is a cryptocurrency with its value pegged to the US dollar. But it’s not kept pegged by someone keeping a stash of banknotes in a vault, instead, users lock up other cryptocurrencies as collateral. And in case the value of the collateral drops, they make sure to keep enough locked up to accommodate that.

But obviously, this carries risk. If the value of the collateral dropped below the amount of the DAI (I.e. if there was less than $1 of collateral per 1 DAI), then there would be a big problem.

There is a mechanism to solve this if the value does drop significantly. The collateral is put up for auction, and anyone can buy it—usually at a nice discount.

But what happened on March 12 is that a lot of collateral went up for auction. And someone managed to buy it for free! This shouldn’t have happened. So, Blocknative went digging and they found out how this occurred.

According to the report, an army of so-called “hammerbots” was unleashed on Ethereum, spamming nodes with high numbers of transactions. This slowed down the network, creating a long queue of “stuck” transactions.

The congestion on the Ethereum network allowed some users—potentially who were behind the attack or otherwise—to bid $0 on auctions without competition. By offering higher transaction fees, they incentivized miners to process their transactions before everyone else. And anyone else trying to bid with low transaction fees, just added to the chaos.

And so, over $8.32 million worth of cryptocurrency was auctioned off for nothing. DeFi may be growing, but the risks are growing too.