TL;DR: Ethereum decentralized finance (DeFi) platform bZx has been gamed twice in only four days, totaling losses just under $1,000,000, involving multiple uses of available technology and services. DeFi is the “it” ecosystem word, attracting a lot of the hype once reserved for “blockchain technology” in recent years. The latest scheme apparently allowed attackers to move more than $600,000, double that of the first take just days prior.
Ethereum DeFi Platforms Gamed Again: $1,000,000 Total Lost
“In understanding the approaches we could take to stop this attack in the future,” Kyle J. Kistner of bZx assured on February 17, 2020 (after a $300,000 loss was discovered February 14, 2020) “we were gifted with one of our most innovative protocol features yet. It will make traders far more money while at the same time dramatically increasing our security guarantees. If it was implemented at the time of the attack, the attack would not have succeeded. In the end, we believe this lesson will be valuable for us.”
Around the same time Kistner was putting together this confident declaration, yet another gaming of his bZx platform was taking place, seemingly twice as bad as the first. “We have hit the pause button on the protocol again,” bZx warned Twitter followers shortly after its blog post, “in light of suspicious transactions using flash loans and trading on Synthetix,” and analysts are claiming another $600,000 was unwittingly moved through bZx.
That’s about one million dollars worth of ether (ETH) moved, gamed, hacked, attacked, whatever the preferred verb, in less than a week. To the uninitiated, the Ethereum DeFi world can be dizzying to understand. And where there’s complexity, there is the opportunity for gamesmanship, for taking advantage of credulity and overconfidence.
$1,000,000 in ETH Gamed, So Far
What is clear is that while the bZx team attended the ETHDenver conference, presenting and touting the benefits of DeFi, someone was licking their chops at an obvious honeypot waiting to be exploited. The first gaming of bZx and its DeFi platform involved time-honored methods of arbitrage: swapping ETH for wrapped BTC (WBTC), leveraged trades, flash loans, other DeFi lending services such as dYdX and Compound and Kyber’s Uniswap, margin trading, slippage, and an apparent smart contract bug within bZx previously undiscovered.
Less than clear is whether any of it was beyond the pale. In other words, most analysts seem to conclude what the attacker(s) did was perform functions within the realm of possibility and that, in fact, it was basically arbitrage in action by way of a bug within the inherent logic of bZx. There isn’t much consensus around whether the moves were unethical.
“As we have seen,” palkeo explained of the then first round of gaming, “DyDx and Compound are only here to get enough leverage. And it’s the position that the attacker took on bZx that caused a huge Uniswap skewing that they then exploited. Also note that the attacker only opened a position, and that’s it. There were not fiddling with the Uniswap prices first, or anything like that. It’s the mere fact of opening their huge position that caused a leak of funds from bZx to Uniswap, that they exploited.”
On February 17, 2020, The Block reported, “bZx attacked again, $645K in ETH estimated to be lost,” quoting bZx rival Robert Leshner as insisting, “The bZx team has repeatedly demonstrated that it isn’t capable of protecting user funds, and should immediately cease operations until the platform can be thoroughly and completely audited.” The second round of gaming appears to have involved oracle manipulation and not a logic bug.
Haseeb Qureshi, Managing partner at Dragonfly Capital, believed the latest instance was indeed “pure oracle manipulation—didn’t even require a logic bug,” and offered “interesting takeaways” from both jarring instances admittedly still developing. The first is determining “who is actually capital constrained? We just learned—mostly attackers / oracle manipulators. And of course! Who else would be able to put $25M to work and bring it home in a single transaction? (Hint: it’s probably not a $25M arbitrage…),” he reasoned.
Acknowledging the nascent DeFi industry’s credulity, Qureshi explained, “Now flash loans will be like re-entrancy. It’ll be so embarrassing to get attacked by them that everyone will double and triple check their threat model. We’ll come up with new best practices around this,” he assured. “The more complexity in your protocol, the more surface area for attack. Kyber, bZx, all these protocols that interweave with each other become as weak as the weakest among them,” a paradoxical problem for decentralized finance, to be sure. “All developers understand the danger of too many dependencies. DeFi is just now learning the same,” he stressed.
CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.
DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.
DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.