As the decentralized finance juggernaut rolls inexorably forward, the exploitation of defi project Bzx – in which $350K, or around 2% of total assets was taken – has called the decentralization of the industry into doubt. The attack forced an admin key reset to redeem lost funds and sparked a surge in defi insurance, with major players hastily taking out cover to immunize themselves from financial loss. Exactly how decentralized is decentralized finance, critics are wondering.
DEX Volume Swells 71% in a Week
Decentralized exchanges, around which the defi movement revolves, are going strong. More than $2.3B was traded on Ethereum-based DEXs last year, and 2020 is on course to comfortably surpass that. $119M was traded in the last seven days, according to Dune Analytics, marking a 71% increase. Meanwhile, new DEXs are springing up regularly to meet growing demand. The latest, Dexive, will operate as a dual Ethereum and Neo decentralized exchange, with integrated trading features such as asset details, news portal, discussion forum and microblog. There are plans to ultimately integrate other blockchains such as Eos and Zilliqa to create a universal DEX.
While demand for decentralized token trading, and the defi primitives it supports, ramps up, the industry has looked shaky of late. The Bzx exploit that occurred on February 15 has sparked intense debate as to whether decentralized trading protocols are truly decentralized, or whether the presence of a “kill switch” nullifies all such claims. Bzx is the seventh largest defi protocol, with over $18 million worth of funds locked.
A Complex Transaction
The exploitation of Bzx occurred on February 15, with project co-founder Kyle Kistner providing details via the platform’s official Telegram channel and temporarily pausing all trading on the exchange. “Exploit” is probably the most apposite term, although arbitraging, attacking, hacking, and thieving have all been liberally used. The net result is the same: Bzx’s balance wound up $350K worth of ETH lighter, though the damage was far worse given the consequent loss of equity. So, how did it happen?
Essentially an exploit was executed against a contract on the project’s Fulcrum trading platform. The perpetrator took out a 10,000 ETH flash loan from non-custodial exchange Dydx before dispatching 5,000 ETH to Compound and borrowing 112 wrapped bitcoins (WBTC).
Thereafter, the attacker sent 5,000 ETH to Bzx, opening a 5x short position for WBTC. After the exchange had converted 5,637 ETH to 51 WBTC via Uniswap, the attacker then converted the 112 WBTC to 6,871 ETH on Uniswap before paying Dydx their original 10,000 ETH. The total transaction cost incurred by the multi-part smart contract was $8. Confused? You’re not alone; the sophistication of the exploit has had commenters applauding and head-scratching in equal measure.
Tweets like "DeFi apps are no different than centralized exchanges because all the contracts have admin keys" is the cheap, boring fast-track to "CT wokeness" these days, forcing me to take the devil's advocate and point out why that's sometimes wrong. Warranted retort:
— Eric Wall IS RIGHT (@ercwl) February 17, 2020
An Oracle Problem
In the end, the perpetrator exploited a Bzx flaw that enabled them to trade an inordinate amount on Uniswap at an inflated price of 3x. In other words, it wasn’t an oracle bug per se, but a fundamental vulnerability in the design of the defi stack that facilitated its execution. Opening such a huge position caused a drain of funds from Bzx to Uniswap, enriching the rogue actor to the tune of $350K and resulting in a $620,000 loss of equity for Bzx. Market manipulation at its finest.
Our first claims assessment has finalised with the 30,000 DAI claim on @bzxHQ being declined.
7 out of 8 members voted No, with over 76,000 NXM being staked in the process (over $300,000 worth of stake).
The claimant can resubmit a claim one more time if they wish. https://t.co/ffAvyKZlt0
— Nexus Mutual 🐢 (@NexusMutual) February 16, 2020
As well as temporarily taking Fulcrum down for maintenance, Bzx deployed a contract upgrade they said would make their system more robust against similar attacks and stated that they would cover the attacker’s loan repayment by streaming “interest and exit liquidity to existing iETH holders” from the 600k of WBTC left behind. Amid the post-mortem of the attack, insurance for DeFi lending has experienced a serious uptick, with hundreds of thousands of dollars’ worth of cover taken out across protocols such as Maker, Compound, Dydx and Bzx.
How Decentralized Is Decentralized?
Perhaps the most relevant question to emerge from this fiasco was posed by Twitter user @SupraBo_ in response to Bzx’s update on the transaction: “Decentralized finance is so efficiently decentralized that it can be paused.”
The bZx attack occurs regularly in traditional markets in the form of derivative manipulation, which tends to result in harsh regulatory punishments.
The real conundrum with DeFi is not flash loans or oracles, but that "attackers" merely play a permissionless game by the rules.
— Qiao Wang (@QWQiao) February 16, 2020
Another tweet suggested the attack exposed the wider danger posed to the Ethereum network of fast-growing finance initiatives: “DeFi = how to increase systemic risk on Ethereum.” Litecoin creator Charlie Lee, meanwhile, sounded off by calling defi “the worst of both worlds,” noting that it “can be shut down by a centralized party, so it’s just decentralization theatre. And yet no one can undo a hack or exploit unless we add more centralization. So how is this better than what we have now?” Research by Chris Blec, who bills himself as “defi’s best friend and toughest critic,” has shown that most defi protocols have an admin key that can override the system in emergencies.
While it is easy to see why faith in defi has been knocked by this ingenious heist of sorts, another perspective is that the event represents a bump in the road for the movement, which remains at an early, experimental stage despite over $1 billion worth of value being locked in, mostly in lending solutions. The exposure of vulnerabilities, and consequent beefing up of procedures, is necessary for maturation of an industry in which innovation continues to play out.
What are your thoughts on the Bzx exploit? Do you think defi protocols are truly decentralized? Let us know in the comments section below.
Images courtesy of Shutterstock.
Did you know you can verify any unconfirmed Bitcoin transaction with our Bitcoin Block Explorer tool? Simply complete a Bitcoin address search to view it on the blockchain. Plus, visit our Bitcoin Charts to see what’s happening in the industry.