A DeFi Hack Fuels Debate, Litecoin's Lee Bashes 'Decentralized Fiatre'
"This is why I don't believe in DeFi," said Lee. "It's the worst of both worlds. Most DeFi can be shut down by a centralized party, so it's just a decentralization theatre. And yet no one can undo a hack or exploit unless we add more centralization. So how is this better than what we have now?" he asks.
However, a developer Eric Wall stressed that this kind of an argument is "the cheap, boring fast-track to "[Crypto Twitter] wokeness" these days," because having an admin key is "not identical to a centralized exchange unless that admin key allows you to confiscate individual user balances."
What Lee and Wall are referring to in their posts is the recent hack of tokenized margin trading and lending platform bZx. During this past weekend, the hacker or hackers helped themselves with some USD 350,000, or c. 2% of the platform’s assets under management, with less than USD 8 in transaction fees, by using several DeFi protocols and exploiting the so-called “flash lending” on the bZx's Fulcrum platform. For reference, the bZx protocol hit the mainnet in 2018, while Fulcrum is a lending and trading dapp (decentralized app) launched in June 2019.
According to DeFi Pulse, the seventh-largest DeFi platform on the Ethereum network by Total Value Locked (TVL), bZX, saw a USD 3.56 million drop on February 16 and a USD 1.9 million rise today so far, with an improvement of +12.9% in the past 24 hours. Currently, it has USD 16.7 million in TLV.
bZx confirmed the attack, but stated that the remaining funds are safe, and that "providing a comprehensive accounting of the losses will require additional time," adding: "This was not a simple Uniswap (a protocol for automated token exchange on Ethereum) attack, and we do not use Uniswap as an oracle." They use Kyber instead. They also paused borrowing and trading on the system and deployed a contract upgrade they believe will provide additional security against these types of attacks, while they also promised to publish a compensation plan for the lenders.
Additionally, the company said that the attacker had left 600,000 of wBTC as a collateral, and that the team will use the admin key "to stream interest and exit liquidity to existing iETH holders," adding "This is an extremely difficult decision for us that we don't take lightly."
The existence of an admin key is something many in the community, and apparently Lee as well, find problematic.
There will continue to be an admin key that is held collectively by the bZxDAO when we transition to decentralized governance.— bZx (@bzxHQ) February 16, 2020
DeFi Pulse, a DeFi market data provider, also tweeted that the community believes these to be the transactions in question and that this was "a complex single-transaction exploit utilizing a 10k ETH flash loan from dYdX, half placed into Compound and half into Fulcrum," explaining what might have happened.
3/ - The 5k ETH deposited into Compound was used to borrow 112 WBTC— DeFi Pulse 🍇 (@defipulse) February 15, 2020
- The other 5k ETH was used as collateral to short WBTC on Fulcrum
- The 112 WBTC were then sold on Uniswap to push the price down
- Fulcrum WBTC short is cashed out at a profit and dYdX flash loan is paid back
However, Nic Carter, partner at Castle Island Ventures, a venture capital firm focused on public blockchains, didn't find any given explanation plausible. He wondered "how a market sell caused a sufficient market impact to affect the index if the entire process took place within the confines of a single transaction... there’s no time for a market impact to be felt," he argued.
That said, bZx updated their followers, saying that an official report will be out today, February 17, at midnight UTC.
This brings us back to Lee who, replying to people trying to convince him in the benefits of DeFi, stated that it doesn't work on any platform, and that work on it should continue, but that he doesn't believe DeFi will revolutionize finance. "I don't think it will work in practice," he writes. "Truly decentralized finance, that is. Complexity will always lead to bugs and exploits. And it will always be semi-centralized."
The TLV locked in DeFi has recently surpassed a major milestone and now stands at USD 1.09 billion.
Some “DeFi” app shit the bed today, got exploited, and got turned off (kind of like iota a few days ago)— Udi Wertheimer〔🧱½🎉〕 (@udiWertheimer) February 15, 2020
So for the next 24 hours or so, everyone on Twitter is going to be a version of me https://t.co/lSwIQXskbl
The level of effort DeFi teams put in to securing their systems is often unnoticed the @bzxHQ team are extremely hardworking and as a lender on Fulcrum this kind of attack was factored into my participation. Worth remembering there is no risk free yield.— kain.eth (@kaiynne) February 15, 2020