Update 2/17/2020 @ 7:20PM: The bZx team has published its post-mortem report, read it here.
The rise of the Ethereum decentralized finance sector , or DeFi, has been one of the biggest stories in the cryptoeconomy for the last two years.
DeFi’s power lies in its underlying composability — the ease in which disparate “money lego” projects can link their capabilities together — and in its permissionless structure — the ability to conduct activities without a third party being in the middle to approve or disapprove of them.
As it stands, this model can be extremely liberating for folks across the world, though it can also be abused by bad actors, as with any system. With that said, many analysts have been expecting a DeFi attack, and over the weekend crypto stakeholders got their first glimpse at what such attacks will look like in the wild.
Not a Hack, But an Attack
bZx is a lending and margin trading protocol on Ethereum, atop which Fulcrum is a front-end project that offers bZx services at its foundation. It’s not a bug that was just used to attack across these projects and others, but rather a sophisticated arbitration-like opportunity.
Here’s what seems to have happened: an attacker or group of attackers used an Aave flash loan — which can be opened and closed within a single transaction — to borrow 10,000 ether (ETH) from the dYdX protocol. The small trove that was then used to launch a DeFi attack.
The antagonist put half of those funds into the Compound lending dApp, with which they borrowed 112 WBTC — a tokenized, ERC20 version of bitcoin. In a separate stroke, the attacker went to the bZx protocol and shorted WBTC on margin. To make the price dump, the agent sold borrowed WBTC on Uniswap, which caused the token’s price to acutely tank, thus satisfying the bZx short. The attacker then paid back the Aave loan and apparently profited by some $350,000 USD.
All of that occurred within a single transaction with no original collateral needed. It was both an ingenuous and nefarious move, and it’ll lead to some soul searching in the DeFi community going forward.
In the aftermath of the attack, bZx co-founder Kyle Kistner confirmed that users’ funds were ultimately safe, commenting:
“There was an exploit executed against the contract. There was a portion of ETH lost. We have paused the contract except for lending and unlending. We are still consulting with the relevant security researchers to understand the precise cause of the issue. We will be publishing a more in-depth post-mortem. The remaining funds are safe.”
In other words, the bZX team has encountered a bad faith broadside, but moves have already been taken — and more will be taken — to prevent a similar attack from happening in the future, as bZx’s leadership explained:
“We have deployed a contract upgrade that we believe will make our system more robust against these type of actions in the future. The upgrade is currently being processed through our timelock. It will pass through in the next 12 hours. At that time we hope to restart the UI.”
The Sooner the Better?
There are some stakeholders that have argued that it’s beneficial that such an attack occurred earlier rather than later in DeFi, when the stakes would be higher. Among this lot was BlockTower Capital’s chief information officer, Ari Paul, who later argued:
“The bzx/compound/uniswap attack is super cool. The more of this that happens, the sooner the better. We want the bug bounties claimed before defi poses a systemic risk.”
Indeed, DeFi is not hardened yet, but this latest attack incident does represent an opportunity for many projects in the ecosystem to toughen up.