bzx – Forex Academy

Two attacks took the DeFi world by storm recently in what is the first DeFi major security incident. bZx, a decentralized finance protocol on Ethereum’s blockchain, endured two separate attacks after unknown persons manipulated “flash loans” and managed to drain nearly hundreds of thousands of Ether.

The First Attack

The first attack took place on Valentine’s night when the bZx team was attending ETHDenver – an Ethereum conference that brings together minds across the blockchain and DeFi space annually. The attacker took out $350,000 worth of ETH from Fulcrum, bZx’s lending platform by playing together several other DeFi protocols; Compound, Uniswap, and dYdX.

The attack happened this way:

The person borrowed 10,000 ETH from dYdX and then posted half the amount to DeFi protocol Compound and the other half to bZx. They then borrowed 112 wrapped Bitcoin (WBTC, which are ERC-20 tokens backed on a 1:1 ratio by Bitcoin.) With the amount on bZx, they entered into a short position for 112 WBTC, after which they sold the 112 WBTC from Compound on Uniswap. This move made the bZx sale very profitable. The attacker then repaid their dYdX loan and kept the proceeds from the short sale – 1,300 ETH. All this happened in a single transaction.

bZx admits the attack was “one of the most sophisticated” they’ve ever seen, which is big. Whoever pulled the attack must’ve had a very in-depth knowledge of all the protocols involved, together with their various tools. It also demonstrates the high levels of interoperability possible among various DeFi protocols – which is ideal, except when that interoperability can be maliciously manipulated. The attack had no precedent in DeFi, prompting the DeFi space to ask hard questions about the security future of DeFi.

In response to the attack, bZx in a slightly controversial move shut down Fulcrum. Users and analysts noted bZx shut down the platform using a non-decentralized master key. But the firm defended the move, arguing, “the core of the debate here is whether we should be ruled by machines or economics. When you have an immutable contract that can’t be upgraded, you are ruled by machines. When the power to exist is distributed among representative stakeholders, you are ruled by economics. Both are valid methods for implementing decentralization.”

The Second Attack

And just when trading had resumed over the weekend and operations back to normal, attackers targeted bZx again, this time netting $633,000. This one took place just after 03:00 UTC Tuesday. The person(s) took out a flash loan of 7,500 ETH using 3, 518 ETH to purchase the stablecoin sUSD stablecoin from the issuer, which they then deposited as collateral for a bZx loan.

They then used 900 ETH to bid up the value of sUSD through Uniswap/Kyber then borrowed another 6,796 of ETH from bZx, using it to repay the 7,500 ETH loan and then pocketed the remaining value: 2, 378 ETH.

What’s shocking but also impressive is that the entire attack took place in just over a minute.

What are Flash Loans?

Flash loans are loans that users take and pay back in the same transaction so as to amplify their payouts. With a flash loan, a borrower loses nothing. The network can usually see whether or not a flash loan will be instantly repaid, and if not, it can reject all transactions associated with it. If it goes through, however, the lender gets a small fee, and the trader gains a profit, and everybody is happy.

But things aren’t always as simple as demonstrated by the bZx scenario. A flash loan carries great risk, especially with exploitable bugs in a platform’s code, or unreliable price feeds. In this case, the attacker(s) did not intend to simply buy low or sell high, but to deliberately manipulate vulnerable price markets.

Aftermath

Shortly after the first attack, investors started jumping from the bZx ship, but things seemed to get back to normal after the firm released a statement acknowledging the issue and addressing the way forward.

As for the future of DeFi security, DeFi experts agree that this is a new territory; hence mistakes are bound to occur. Speaking to CoinDesk, Staked CEO asserted: “These are big risks. It’s a new category, it’s moving fast, and some things are going to break.”

The bZx team is now focused on securing the network and deterring future attacks. The firm already implemented a check that will disallow even overcollateralized loans in the future and has already put a cap on maximum trade sizes so as to limit the scope of potential attacks. It will also be implementing a Chainlink oracle to supplement Kyber’s price feed to be able to get time-weighted price info at any given time.

ETH has pulled a surprise on everyone Tuesday by posting bullish prices as high as $287 up from Monday’s low of $245.

This surge couldn’t have come at a weirder time; when Ethereum was on the spot for two attacks or ‘exploits’ on the Ethereum-based DeFI protocol bZx that saw it lose almost $1m worth of ETH.

$ETH completely shrugging off the weekend’s @bzxHQ exploits… pic.twitter.com/vIWfS8IjXk

— Mike Dudas (@mdudas) February 18, 2020

The CEO of the crypto site The Block, Mike Dudas, tweeted Tuesday in acknowledgment of ETH’s Tuesday rally.

Respected economist Alex Kruger’s response to Dud’s tweet may explain this bullish behavior, though. While saying ETH did not actually ‘shrug off’ the exploit, he stated the attacks were naturally bullish for Ether since it’s “great advertising” and it “should generate interest in Ethereum from the finance industry and thus increase demand for ETH, even if the many DeFi platforms die in the near term because of this.” In essence, the attack raised Ethereum’s profile, its DeFi use case will be damned (at least in the short term.)

Flash Loans

The DeFi attack that helped reverse fortunes for ETH Tuesday was a result of the manipulation of flash loans. To understand flash loans, let’s look again at what Kruger had to say about them. In the same thread, he said, “flash loans provide access to instantaneous liquidity and collateral, and work on top of deterministic transactions that fully eliminate risk for both borrower and lender. This is extremely valuable, and the very best expression of programmable money…”

Flash loans are a new entry in the crypto world, a new decentralized finance innovation atop Ethereum’s blockchain. A flash loan allows a trader to take an uncollateralized loan to maximize the profits from a trade. They are ‘flash’ because they’re super-fast – in that the borrower repays the loan in the same transaction.

What happened with bZx is that the attackers exploited weak points in the protocol, making away with $300, 000 and around $650,000 worth of Ether.

Ensuing Fear, Uncertainty, and Doubt

After the Ethereum debacle, some individuals took the chance to pontificate about DeFi being an inherently flawed technology. But just like with the DAO attack in 2015, such incidents invariably point to weaknesses in a system, which in turn helps make it better and more resilient. Like with any technology, DeFi is undergoing ‘growing pains,’ and it helps to provide solutions to such imperfections rather than knocking everything down.

What’s next for bZx

As for bZx, the firm will mitigate the damage of the attack in several ways, like liquidating collateral to cover a loan that the attack left uncovered, as well spread the loss across its user accounts. (Users will barely feel the impact of the loss, despite the magnitude of the attack.) The firm has also indicated plans of setting up an insurance fund as a long-term solution in case of a similar future incident.

Perhaps DeFi proponents can look at the bright side: the attacks are a testament to DeFi taking up space in finance. The nascent technology is developing enough clout to warrant exploiting attacks.