A number of services on tokenized margin trading and lending platform bZx--the seventh-largest DeFi platform on the Ethereum network by Total Value Locked (TVL)--were temporarily frozen this weekend after a user was reportedly able to exploit "flash lending" on the company's Fulcrum platform to the tune of an estimated $350,000, roughly 2 percent of the platform's assets under management.
https://twitter.com/bzxHQ/status/1228555300971655168
However, the bZx team, which was presenting at ETHDenver at the time of the attack, says that although an exploit happened, it has been impossible to determine exactly how much was taken.
Indeed, "due to the complexity of the transaction, providing a comprehensive accounting of the losses will require additional time," a tweet from the company's unverified Twitter account explained. A more detailed report from the company is expected today at 17.00 MST.
https://twitter.com/bzxHQ/status/1229207510273282048
TrustNodes reported that "bZx is to diversify its price sources through Chainlink, an ostensibly decentralized oracle feed" in order to prevent further exploitations from taking place.
"We have been chatting with the team yesterday. Tom and Kyle (founders) met Sergey several times before. We will integrate ChainLink," a representative from bZx told the publication.
" No lender will be affected by the attack."
The company was also quick to point out that the exploitation did not affect any other users on the platform: "No lender will be affected by the attack," bZx tweeted.
5/ We will be issuing a more detailed post-mortem as soon as possible. Right now, we wanted to simply reassure users that the funds are in fact safe. No lender will be affected by the attack. Lastly, we apologize to our traders who have come to depend on our consistent up-time.
— bZx (@bzxHQ) February 15, 2020
Another tweet by the platform explained that "from the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other."
https://twitter.com/bzxHQ/status/1228787125740437504?ref_src=twsrc%5Etfw
Still, bZx reported on Saturday that "right now there has been a panic and a run on the iETH [token] supply based on the idea that there are losses," the company explained, adding that "as long as we stand by this borrower and ensure that they continue to pay interest, the pool is healthy and will continue to be so."
4/ Right now there has been a panic and a run on the iETH supply based on the idea that there are losses. However, as long as we stand by this borrower and ensure that they continue to pay interest, the pool is healthy and will continue to be so.
— bZx (@bzxHQ) February 15, 2020
However, the "run" appears to have been short-lived: after falling from $0.035 to $0.032 on the day of the attack, the value of iETH tokens had recovered to $0.033 by press time.
What happened?
According to TrustNodes, "Flash loans" are a code-based lending operation that allows traders to borrow and return funds over very short periods of time. According to Tim Ogilvie, chief executive of Staked (which bZx has a working relationship with), the exploit is essentially an expensive bug bounty for bZx.
Ogilvie explained to CoinDesk that the attacker borrowed 10,000 ETH ($2.67 million) in a flash loan. Then, the attacker sent 5,000 ETH to Compound, another DeFi protocol, and the other half to bZx.
The attacker then split the borrowed funds, sending 5,000 ETH to DeFi protocol Compound and the other half to bZx. After the deposits, the attacker shorted wrapped Bitcoin (WBTC) on bZx quickly followed by borrowing 112 WBTC on Compound, worth about $1.1 million, and selling the borrowed WBTC on UniSwap, another DeFi market, said Ogilvie.
After making these deposits, the attacker shorted "Wrapped Bitcoin" (WBTC), ERC20 token backed 1:1 with Bitcoin. Shortly after, the attacker borrowed 112 WBTC (worth $1.1 million) on Compound, and sold the borrowed WBTC on UniSwap, a third DeFi market.
Ogilvie also said that the exploitation was possible in part because bZx uses UniSwap's price feed for WBTC, though the company has denied this on Twitter: "this was not a simple Uniswap attack, and we do not use Uniswap as an oracle," a post from the company's unverified Twitter account reads.
1/ Due to the complexity of the transaction, providing a comprehensive accounting of the losses will require additional time. This was not a simple Uniswap attack, and we do not use Uniswap as an oracle.
— bZx (@bzxHQ) February 15, 2020
bZx installed a contract upgrade over the weekend to prevent further exploitations from happening again: "We have deployed a contract upgrade that we believe will make our system more robust against these type of actions in the future," the company tweeted.
Long-term effects?
The longer-term effects on the platform will become clear in the coming months. In early February, bZx reported that January was "the most explosive month of growth that Fulcrum has ever seen."
"Our volumes are up 350%, hitting 9.6MM USD trading volume in a single month," the platform tweeted.
https://twitter.com/bzxHQ/status/1224434188427726850