Exploit During ETHDenver Reveals Experimental Nature of Decentralized Finance

William Foxley

DENVER – Decentralized finance (DeFi) project bZx has suffered an attack in which a hacker successfully gamed multiple DeFi protocols to extract $350,000 from the platform, about 2 percent of the assets under management.

In response, the company took down its lending and trading protocol Fulcrum at 7:00 UTC. The company was presenting at ETHDenver during the hack. The hackers took advantage of the company’s pricing oracle to trick the protocol into giving up the cash. bZx depended on only one oracle for pricing, according to sources.

The firm, which has yet to reappear at EthDenver, later confirmed in a tweet it will compensate lenders for potential losses.

Related: Why Bison Trails Is Staying the Course on Libra

The attack could be symptomatic of a continuing issue in DeFi, said Chainlink CEO Sergey Nazarov at the event: how to source price information.

The attack was even more notable because of its timing as the team had to deal with the hack during the ethereum community’s EthDenver hackathon, which largely focuses on DeFi.

bZx stickers at ETHDenver. (Photo by John Biggs for CoinDesk)

Nazarov said that sourcing price data from one oracle – services that collect and issue on-chain price information – remains problematic and one DeFi teams are still working out, although its relation to this issue has yet to be firmly established, he added.

“You can’t rely on [only] one oracle connected with an exchange API,” Nazarov said.

Related: Mind the Gap: Why ETH Price and DeFi Adoption Aren’t in Sync

Staked CEO Tim Ogilvie, which operates a working relationship with bZx, said the loss amounts to an expensive bug bounty and highlights the novelty of flash loans, a new DeFi feature which allows traders to borrow and return funds in short windows the hacker leveraged for the attack.

According to Ogilvie, the attacker borrowed 10,000 ETH, worth approximately $2.67 million, in a flash loan.

The attacker then split the borrowed funds, sending 5,000 ETH to DeFi protocol Compound and the other half to bZx. After the deposits, the attacker shorted wrapped bitcoin (WBTC) on bZx quickly followed by borrowing 112 WBTC on Compound, worth about $1.1 million, and selling the borrowed WBTC on UniSwap, another DeFi market, said Ogilvie.

Ogilvie said, which the firm denied on Twitter, that bZx uses UniSwap’s price feed for WBTC. When the attacker dropped the $1.1 million worth of WBTC on UniSwap, their bZx short became extremely profitable, said Ogilvie.

“The question for DeFi is what’s safe? How do you create a safe and secure set of [price] oracles that actually do things? People use different approaches and you can choose the wrong way,” Ogilvie said.

“There are big risks. It’s a new category, it’s moving fast and that means some things are going to break,” Ogilvie said.

The eighth-largest DeFi market according to DeFi Pulse, 16 percent of funds locked in bZx have been withdrawn from the protocol in the past 24 hours.

Related Stories