bZx – the decentralized lending protocol – has been attacked, resulting in the loss of “a portion of ETH” locked in the protocol.

Kyle Kistner, bZx co-founder, released the news via the Telegram channel early Saturday morning. While specific details surrounding the attack are still under review, the bZx team has temporarily taken down its Fulcrum trading platform until the issue is resolved.

bZx currently ranks #8th on DeFi Pulse in terms of TVL directly following the attack, aggregating a total of $13.3M in value.

The bZx/Fulcrum team is still consulting with relevant security researchers to better understand the attack. DeFi users can expect a post-mortem from the team published within the coming days following a deep-review of the exploitation.

While the DeFi community is still waiting to hear on the confirmed amounts lost, estimates range from around $350k in lost capital. There’s been some speculation that the attack was not actually a specific bug within the contract but involved complex market manipulation across a multitude of protocols including dYdX, Compound, Uniswap, and Fulcrum.

The danger of attacking DeFi cannot be underestimated. Fulcrum @bzxHQ protocol has been under attack today.https://t.co/t9xx1JE3VH — Alex (@dsearch3r) February 15, 2020

If the $350k estimates are correct, then the DeFi community should feel relieved as the low six-figure hack is relatively small compared to the $1.2B in total value locked.

What Happened?

In the case of bZx, rather than directly exploiting a bug through the contract itself, the attacker seems to have leveraged the growing complexities across multiple DeFi protocols to manipulate the system. By having access to a range of different protocols, all of which can interact with each other, attackers can use them for their own benefit.

As outlined in an op-ed piece “The Inevitable DeFi Hack”, a DAO-like black swan event where a significant portion of the value locked is compromised from a malicious attack should largely be considered inevitable in the future. Simply put – as the amount of value locked in DeFi contracts increases, so does the incentive to steal it.

Unfortunately, with the explosive growth in DeFi and total value locked, we can only assume that this is the first of many to come.

Protections for DeFi Users

The recent attack on bZx highlights the growing importance of insurance. With new insurance providers entering the space, like Opyn, along with existing players like Nexus Mutual, there’s a growing opportunity for DeFi users to protect themselves from these types of situations.

While Opyn only covers Compound deposits, the Nexus Mutual team forwarned members with covers on bZx to hold off on making any claims until all details surrounding the attack are released and confirmed by the team. It is important to note that Nexus Mutual only covers technical risks (e.g bugs) and not any other DeFi protocol risks such as external risk (e.g. admin theft) and financial risk (e.g. peg breaks).

If the theories are correct, this type of exploit may fall under the second or third category rather than being a technical risk. As such, it is unlikely that Nexus Mutual will cover the lost capital if it’s anything but a technical attack.

More details to come!

Update – Funds are Safu

The bZx team released an official tweet thread surrounding some of the implications from the hack. In short, there was no smart contract bug, and was instead a long-string of complex arbitrage opportunities across a multitude of DeFi protocols, resulting in the hacker netting a profit of $350k.

The aftermath of the exploit left 600k of wBTC collateral from the hacker. With that, bZx is exercising their admin key to stream the leftover wBTC to existing iETH holders as compensation for any losses from the hack.

For a full understanding on the exploit, bZx will release a detailed post-mortem as soon as possible. For now, feel free to review the tweet thread released by bZx earlier today!

Funds are SAFU: 1/*All users have ZERO losses*. Last night there was a widely reported attack that took place against our protocol. From the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other. — bZx (@bzxHQ) February 15, 2020