Messari Daily Brief: BleedFi

From this morning's daily newsletter - subscribe above

-------

One of the more obvious predictions I made in my 2020 theses was that you’d see more big blow-ups in DeFi applications. Perhaps there will even be an event that proves to be a borderline existential crisis for DeFi…some attack on a major protocol that resets expectations surrounding the sector much like "The DAO” reset expectations around the viability of smart contract-powered funding pools back in 2016.

The most recent exploit comes from DeFi upstart bZx, which has now been hit not once, but twice in separate attacks (arbitrage plays?) that feed off of DeFi’s illiquidity and immature oracle infrastructure.

The Ethereum-based lending and trading platform had been rocketing up the DeFi Pulse rankings for the past several weeks until this weekend, when a hacker was able to make $300k in profits from a design vulnerability.

It seems the bZx hacker cleverly highlighted the limitations of building high stakes applications today using "money legos.” The number of protocols employed to pull off the hack makes this almost feels performative.

As the bZx team explained:

1) The attacker borrowed 10,000 ETH in a flash loan from margin trading protocol dYdX (#6 on DeFi Pulse)
2) He then sent 5500 ETH to money market protocol Compound (#2) to collateralize a loan of 112 wrapped BTC, a synthetic ERC-20 token backed 1:1 by bitcoin (wBTC #11)
3) He then sent 1300 ETH to bZx Fulcrum’s (#13) "pToken sETHBTC5x", a contract that opened a 5x short position against the ETH:wBTC ratio.
4) 5637 ETH was then automatically borrowed and swapped to 51 WBTC through decentralized exchange protocol Kyber’s (#13) reserve on automated market maker Uniswap (#5); the large slippage was possible because of the reserve’s illiquidity
5) The attacker swapped 112 wBTC borrowed from Compound to 6871 ETH on Uniswap, resulting in 1200 ETH arbitrage
6) He repaid the flash loan of 10,000 ETH from dYdX.

If that sounds complex, the tl;dr is: Bam! $300k in profit. Plus a lesson in illiquid market arbitrage where “code is law." Happy Valentine’s Day!

bZx promptly paused its protocol when it became aware of the initial exploit and evaluation, and resumed trading after it posted its synopsis last night “funds are SAFU.”

But then the protocol was attacked again! Different vector, 2x the resulting exploit! Happy Presidents Day!

For the double tap, the hacker was able to conduct an "oracle manipulation” attack, according to bZx co-founder Kyle Kistner. The maneuver netted the hacker 2388 additional ETH, or nearly $645,000, and prompted calls for the bZx team to cease operations until they could properly audit their mechanism designs.

How about this for modern crypto art:

This time, an attacker took out a 7500 ETH flash loan and bought 3500+ ETH worth of sUSD on Synthetix (#3), deposited the collateral to bZx, and used 900 ETH to buy sUSD on Kyber and Uniswap again! Then pushed the sUSD dollar-pegged stablecoin to trade for $2. He then took out a collateralized loan on bZx using the inflated sUSD Uniswap price, repaid the original flash loan, and drained the bZx ETH pool in the process.

This is the downside of depending on only one (illiquid) oracle for pricing a smart contract. It would seem to be a net positive for a decentralized oracle protocol like ChainLink, which bZx co-founders did indeed say they would integrate on an accelerated time frame. That is, if any trust in the protocol remains.

The crazy thing is that you probably could have seen this second punch coming...more or less immediately, as bZx’s AUM jumped nearly 50% to $20mm after the protocol came back online. (Its ETH pool has halved to $6mm.) You’d probably only expect malicious actors to pile into a protocol immediately after such a serious exploit. And that’s exactly what happened.

At first blush, this isn’t a good look for DeFi. But I’m of the opinion these sort of attacks are healthy for the emerging ecosystem, and it might be better to allow - or even encourage - “arbitrage games” like the ones on bZx in order to make the systems more resilient before they get bigger and exploits become more damaging.

Better to have controlled burns than existential forest fires. A necessary evil in the internet of money.

-TBI

Let us know what you loved about the report, what may be missing, or share any other feedback by filling out this short form. All responses are subject to our Privacy Policy and Terms of Service.