Earlier this week, the decentralized lending protocol bZx was exploited in back-to-back “flash loan” attacks. While the two exploits were distinct, the end results remained the same. In total, $954,000 was gleaned from the platform. But what exactly happened? Was it an exploit, a simple case of arbitrage or a malicious attack? And where does decentralized finance go from here?
It hasn’t been a good PR week for the DeFi sector. For some, the movement promising an alternative to the legacy financial system is starting to look like a failed experiment. For others, the attacks amounted to little more than being caught on the wrong side of a trade. But regardless of semantics, whether these attacks transpired from a legitimate loophole or were the result of a premeditated attack, faith in DeFi is truly being tested.
The first attack
On Feb. 14, the first exploit occurred. In a post-mortem compiled since the incident, bZx co-founder Kyle Kistner describes the exact moment the attack occurred. The bZx team was out for the ETHDenver conference — an Ethereum soiree that ironically celebrates the best of DeFi. Alarm bells started ringing when the team received information about a “suspicious” transaction. “We immediately returned home from the tBTC happy hour,” writes Kistner.
Kistner notified the members of the company’s Telegram group, explaining that an “exploit” had been executed on a bZx contract — which was promptly paused — and that a “portion of ETH” was lost. The actual amount harvested in the first incident totaled 1,193 Ether (ETH). Echoing the words of Binance boss Changpeng Zhao, bZx affirmed that user funds were “SAFU.”
Fortunately for its users, bZx operates on a failsafe — collecting 10% of all interest earned by lenders and aggregating it into an insurance fund. Consequently, the losses to bZx users are nominal. For the bZx platform, however, the attack came with a hefty reputational cost.
Pulling the heist
But how did the attacker succeed in materializing a profit of 1,193 ETH from nothing? To use a somewhat reductive explanation, the attacker devised a network of transactions to execute a “pump and dump.”
Here’s how it went down:
First, the attacker took out a 10,000-ETH loan on the DeFi lending platform dYdX. They then split the loan between bZx and another lending platform known as Compound. The ETH sent to Compound was used to collateralize another loan for 112 wrapped Bitcoin (WBTC). Meanwhile, the 1,300 ETH assigned to bZx was used to short ETH in favor of WBTC.
Harnessing the low liquidity of a decentralized exchange known as Uniswap, which shares price data with bZx via DeFi network Kyber, the attacker managed to pump the price of WBTC on Uniswap through the WBTC short placed on bZx.
The antagonist then dumped the WBTC borrowed from Compound on Uniswap, taking advantage of the inflated market rate. With profits in hand, the attacker paid back the original loan from dYdX in full and pocketed a cool profit of 1,193 ETH leaving bZx with an undercollateralized loan.
But here’s the kicker: Everything detailed above was executed in a single transaction — accomplished through a DeFi product known as a “flash loan.”
Flash loans and contract bugs
Flash loans allow traders to take out a loan without any backing — i.e., they remove the need for collateral. They’re able to do this because the loan is paid back immediately. Arbitrageurs use flash loans in conjunction with smart contracts, which they code to carry out calculated arbitrage trades: the simultaneous buying and selling of assets in different markets.
Executed atomically, flash loans are marketed as “risk-free” as the Ethereum network rectifies any failure to pay back the loan by reverting the original transaction. As a result of their atomic nature, no party was able to intercept the flash loan attack while it was happening. Zhuoxun Yin, head of operations at dYdX — the exchange where the flash loan was borrowed — told CryptoX:
“We were not aware of anything officially until it all transpired. These transactions are all atomic, meaning the whole thing executes or fails.”
However, it wasn’t just flash loans at the attacker’s disposal. They also took advantage of vulnerabilities within the bZx smart contract. Kistner explained to CryptoX how the initial attack was allowed to occur:
“The first attack was fairly simple in that they made a large trade that ate into the funds of lenders. A flag was set higher up in the stack that allowed the trade to bypass a check on whether or not they were putting lender funds in danger.”
The bypassed check Kistner mentioned is the very same that former Google engineer Korantin Auguste refers to in his detailed analysis of the attack: “The attacker exploited a bug in bZx that caused it to trade a huge amount on Uniswap at a 3x inflated price.”
As it turns out, a crucial function to verify whether market slippage had occurred didn’t trigger. If it had, it would have nullified the attacker’s bZx position — rendering the trade ineffective. Instead, the attacker was allowed to continue unimpeded.
Round two
Four days later, on Feb. 18, bZx fell victim to yet another attack, forcing yet another protocol suspension. Similarly to the first, flash loans were used to facilitate a pump and dump on Uniswap — this time resulting in the attacker netting 2,378 ETH.
This time around, the attacker took out a flash loan of 7,500 ETH on bZx, trading 3,517 ETH for 940,000 Synthetix USD (sUSD) — a stable coin pegged one-to-one with the United States dollar. Next, the attacker used 900 ETH to purchase another round of sUSD on Kyber and Uniswap, pumping the price of sUSD on to over 2.5 times the market rate.
Then, using the now-inflated sUSD borrowed from Synthetix as collateral, the attacker took out a loan of 6,796 ETH on bZx. Using the freshly borrowed ETH and the ETH left over from the original loan, the attacker paid back the 7,500 ETH flash loan and once again skimmed a profit, this time to the tune of 2,378 ETH.
This left bZx with yet another under-collateralized loan. Luckily, this was covered by the insurance fund.
Blaming the oracle
Rather than a repeat of the original bug, which was patched following the first attack, round two was apparently the result of oracle manipulation.
Oracles are blockchain-based intermediaries that feed external data into smart contracts. In this case, bZx’s price oracle relayed the inflated sUSD price without a verification, leading bZx to believe the loan of 6,769 ETH was fully collateralized. An analysis from PeckShield, a blockchain security firm, summarized the oracle exploit as follows:
“The oracle manipulation substantially drives up the price of the affected token, i.e., sUSD, and makes it extremely valuable in the bZx lending system. The attacker can then simply deposit earlier-purchased or hoarded sUSD as collateral to borrow WETH for profit (instead of selling or dumping).”
Yin notes that using Kyber (and by proxy, Uniswap) as a price oracle, bZx may have been asking for trouble: “Protocols should be using high-quality oracles, not on-chain DEXs directly as price oracles. Oracles that are powered by off-chain reporters would be safer.” He also pointed the finger at DEXs that support low liquidity assets:
“Many DEXs support assets that are very illiquid. Illiquidity means the markets can be moved a lot more easily. Liquidity needs to improve, which I’m confident will happen over time — there are technical and market factors that need to be overcome.”
Volatility coupled with low liquidity can prove to be a treacherous mix. In this instance, market slippage was inevitable, and the attacker knew it. Fortunately, since the incident, bZx has taken the decision to partner up with decentralized oracle network Chainlink and has made use of its price data.
Hack, attack or legitimate arbitrage?
For some, these cases amount to little more than a proficient arbitrage trade. However, the reality isn’t that simple. The attacker abused several vulnerabilities within bZx’s protocols, taking advantage of low liquidity markets and employing blatant manipulation tactics. Kistner, co-founder of bZx, told CryptoX that it’s a cut-and-dried case:
“It’s an attack because it used our code in a way that it wasn’t designed to produce an unexpected outcome that created liabilities for third parties.”
Sharing a similar opinion, Auguste maintains that no matter how you look at it, these were malicious attacks:
“In both cases, there were bugs exploited in the bZx code, so these were definitely attacks and cannot qualify as a clever arbitrage or something legitimate.”
CryptoX also reached out to Thomas Glucksmann, vice president of global business development at blockchain analytics firm Merkle Science. Much like the others, Glucksmann classified the incident as a hack, suggesting that it follows the same principles as theft by any other means.
However, he was quick to turn the spotlight back on bZx, insinuating that any attack vectors should have been patched sooner, especially given the lessons learned from the decentralized autonomous organization hack in 2016.
“Developers can typically avoid such scenarios by ensuring a thorough smart contract auditing process. It’s amazing that some teams still did not learn from the consequences of The DAO debacle and demonstrates the current fragility of DeFi services.”
Glucksmann didn’t write bZx off altogether, though. In terms of damage control, he says both the post mortem and the insurance fund go a long way to soften the blow.
What about DeFi as a whole now?
Following the last bZx attack, the DeFi sector reported a significant loss in locked-up assets, falling approximately $140 million from a peak of $1.2 billion on Feb. 18. Just weeks prior to the attacks, DeFi boasted a milestone $1 billion in total locked-up assets. This deterioration was especially prevalent in locked Ether where losses totaled around 200,000 ETH, according to data from analytics site Defipulse.com.
Nevertheless, Kistner doesn’t see these exploits as DeFi’s death knell. Instead, he suggests that it’s merely part and parcel of ecosystem development:
“NASA didn’t hire people who all wrote perfect code to launch space shuttles. What they had were rigorous processes in place throughout the entire development cycle of the code. We need to treat launching a DeFi DApp like we treat launching a shuttle into space.”
While DeFi is still in its infancy, the once-niche market continues to mature, clambering to the forefront of mainstream attention. However, the sector is operating without an adequate sandbox — an omission that is bound to provoke further hiccups.
Related: DeFi Begins to Move From a Niche Market to Mainstream Finance
For Glucksmann, while a greater emphasis needs to be placed on “battle testing” protocols before launch, discussions on appropriate regulation also need to be held. So, it is too early to write off the sector:
“To date, the only profitable business models in the crypto space were mining, exchanges and liquidity provision. DeFi services such as lending could be the next. A lack of regulation covering DeFi in many jurisdictions presents opportunities as well as risks, so users of DeFi services need to be willing to accept this for the time being.”
Arguably, due diligence procedures such as Know Your Customer and Anti-Money Laundering checks would go some way to disincentivizing bad actors. Though, given the inherently decentralized nature of DeFi, its proponents would likely revolt at the very idea.