bZx Hack During ETHDenver Reveals Experimental Nature of DeFi

bZx, a decentralized finance (DeFi) project, lost $350,000 (around 2% of the assets under management) in a hack, as an attacker successfully tricked multiple DeFi protocols.

In response, the company suspended its lending and trading protocol Fulcrum at 7:00 UTC. The company was presenting at ETHDenver, when the hack occurred. The hackers employed the company’s pricing oracle to force the protocol into yielding the cash. Sources state, that bZx depended not on only one oracle for pricing.

The company later tweeted that it will compensate lenders for all potential losses.

Sergey Nazarov, Chainlink CEO, stated that this attack may be a result of a persistent issue in DeFi: how to source price information.

The attack was even more significant, as the team had to deal with it during the Ethereum community ETHDenver hackathon, which is largely dedicated to DeFi.

Nazarov noted that sourcing price data from one oracle — services which aggregate and issue on-chain price information — remains a problem, which DeFi teams are still trying to work out, although its relation to this issue still needs confirmation, he stated.

“You can’t rely on [only] one oracle connected with an exchange API,” Nazarov maintained.

Staked CEO Tim Ogilvie, which operates a working relationship with bZx, explained that the loss is tantamount to an expensive bug bounty and stresses on the novelty of flash loans, a new DeFi feature which allows traders to borrow and return funds in short windows the hacker exploited for the attack.

Ogilvie detailed that the attacker borrowed 10,000 ETH, worth around $2.67 million, in a flash loan.

The attacker then split the borrowed funds, sending 5,000 ETH to DeFi protocol Compound, and the other half to bZx. After that, the attacker shorted wrapped Bitcoin (WBTC) on bZx quickly followed by borrowing 112 WBTC on Compound, worth about $1.1 million, and selling the borrowed WBTC on UniSwap, another DeFi market, explained Ogilvie.

He also said, that bZx uses UniSwap’s price feed for WBTC, which the company denied. When the attacker sent $1.1 million worth of WBTC on UniSwap, their bZx short became extremely profitable, according to Ogilvie.

“The question for DeFi is what’s safe? How do you create a safe and secure set of [price] oracles that actually do things? People use different approaches and you can choose the wrong way,” Ogilvie noted. He then maintained:

“There are big risks. It’s a new category, it’s moving fast and that means some things are going to break.”

According to DeFi Pulse, 16% of funds locked in bZx have been withdrawn from the protocol on February 16.