DeFi Loses USD 140M in a Few Hours as bZx Suffers Another Exploit
Assets locked in DeFi (decentralized finance) have dropped more than USD 142 million in a few hours as DeFi platform bZx suffered yet another attack. (Updated at 16:19 UTC: updates in bold).
Just four days ago, somebody exploited a vulnerability in tokenized margin trading and lending platform bZx, and now the reports are coming out that the same thing has happened once again. And in the light of all of this, total value locked (TLV) in DeFi dropped. After surpassing the USD 1 billion mark earlier this month, on February 15 it reached another all-time high, hitting USD 1.22 billion. It gradually fell to USD 1.149 billion earlier today and then, in a few hours, it crashed 12%, to USD 1 billion (10:00 UTC).
As reported, bZx was already exploited a few days ago. The platform paused borrowing and trading, deployed an upgrade, but also came out with an official report on February 17, which states that a total of ETH 1,193 (USD 320,000) has been taken.
However, on February 18, bZx tweeted that that the pause button has been hit yet again, "in light of suspicious transactions using flash loans and trading on Synthetix." Details of another transaction, made less than six hours ago, are shared through the community, according to which ETH 2,388 (USD 640,000) is lost. This caused an uproar in the Cryptoverse, drawing criticism and concern.
"At first blush, this isn’t a good look for DeFi. But I’m of the opinion these sort of attacks are healthy for the emerging ecosystem, and it might be better to allow - or even encourage - "arbitrage games" like the ones on bZx in order to make the systems more resilient before they get bigger and exploits become more damaging," Ryan Selkis, CEO of crypto researcher Messari, said in his newsletter today.
In all seriousness, I can’t even imagine the stress that the DeFi currently have EVERY SINGLE DAY. It’s a multi mil… https://t.co/dXrRqDGguH— Larry Cermak (@lawmaster)
Your funds are safe*— eric.eth (@econoar) February 18, 2020
*for 12 more hours
Another result of the first attack, as the report says, is an undercollateralized loan on the platform, which is not currently a loss, but has the potential of becoming one. The debt can be serviced with the current collateral for the next 202 years, at which point, there'll be a ETH 4,698 loss, which remains from the attackers' loan, to be socialized across the lending pool. "If we used the administrator key to liquidate the wBTC into ETH," says bZx, "we could eliminate the impact of market volatility and guarantee that the debt would settle on this date." Prior to this second attack, the options presented were:
- the administrator key to insulate iETH holders from the volatility of the wBTC collateral;
- pay back some of the principle in order to insulate the protocol from the price of ETH increasing, making it more difficult to pay back the 4698.02 ETH.
bZx in their report and others in their analyses describe, not an oracle attack, but "a clever arbitrage execution," as a blockchain security company PeckShield defined it, which could be separated in five distinct steps: Flashloan Borrow, Hoard, Margin Pump, Dump, Flashloan Repay.
Korantin Auguste, a former Google software engineer, also describes a complex series of steps, which we could say is unlikely done by somebody who wasn't well-acquainted with the mechanism and its vulnerabilities. "The attacker exploited a bug in bZx that caused it to trade a huge amount on Uniswap [a protocol for automated token exchange on Ethereum], at a 3x inflated price,” says Auguste, adding "Because the Uniswap supply is all distorted, they are able to sell these 112 WBTC for 6871 ETH."
Richard Burton, DeFi product designer, who formerly worked for Ethereum and Balanced.io, argues that "people are borrowing hundreds of thousands of dollars for a few seconds to smash the [bZx] protocol to bits," and adds: "The open-source financial system is absolutely savage. Everything is vulnerable."
The centralized vs decentralized debate is still ongoing, with those arguing that a pause button, off-switch, or an admin key shouldn't exist in DeFi in one camp, and those stating that the space is still in its toddler days in the other.
What’s not ok? IOTA shutting their “decentralised” network down for 5 days via the (centralized) Coordinator.— Tony “Abolish ICE” Arcieri 🦀 (@bascule) February 18, 2020
Whether the second attack was done by the same person(s) can't be said, as copy-cats are likely to follow an exploit once the method goes public.
Meanwhile, people have been reporting other transaction issues, primarily many alleged filing transactions, for which bZx stated are unrelated to these events.
Learn more: DeFi Challenge: Organic User Adoption