How to Avoid Exploits and Hacks using Proper Decentralization

1,402 reads

Everyone has heard the latest hack, or the exploit, or the arbitrage, or the profit :) done in the Decentralized Finance World. The main reason was short of liquidity in an exchange, and using a single source to get prices.

reactions

Let me explain the exploit using simple words a five year old kid can understand. You may be a tech wizard, or you may be a finance buff, but not everyone understand both finance and tech. So, bear with me while I explain this to the majority. I would not really call this a hack, as phishing a gmail password cannot be considered a proper hack. The hacker, or the person who found the exploit borrowed the money in question, 10 ETH to be specific. Then used 5 ETH as collateral to borrow 112 WBTC, which is the money corresponding to BTC. Shorted WBTC in the bxz platform, which is a DeFi platform, then dumped 112 WBTC in uniswap, which is another decentralized platform. Once he dumped all the WBTC, the price of the coin went downhill fast, and he benefited from that reduced price because he shorted it back in the bzx platform. He made 353K USD profit, and closed all the credits/borrowed money. This is about the gist of it. For more information, check out the announcement made by the Block and the explanations by Kyle Kristner, co-founder at bZx on bZx’s official Telegram group. The main reason he was able to do this exploit was because Fulcrum used kyber only for the index price of WBTC, and kyber relies on uniswap. WBTC liquidity is shallow and when it comes to these important matters, it was better not to list coins with insufficient liquidity, especially letting margin trading with such coins let people exploit them. Since then, the bZx company suspended Fulcrum trading platform and signed with chainlink to get a better oracle solution. According to DeFi Pulse, bZx has about 16.6 million USD locked and they are the 7th largest platform, and they had about 15 million USD locked during the hack! This means more money was locked in their system, which is surprising to be honest. This could also be because their new oracle provider chainlink is more trustworthy to some people, or could be because more people have heard of bZx due to this exploit. Here is a graph showing 7 day locked ETH amount, and the exploit simply caused a small drop:

reactions

Almost all top DeFi projects show such increases, and DeFi is the new ICO in the crypto world. With POS consensus mechanism of ETH approaching quickly, people with some cryptocurrencies under their belt will be able to make almost everything banks were doing, only having all these services decentralized. These exploits are only making the decentralization movement stronger, forcing all companies to use decentralized solutions.

reactions

However, after this exploit, the same thing happened again, probably by a different person, but using the same method. Then the team paused the protocol and gave this explanation:

reactions

"...without a different oracle you could: Flash loan ⚡️ yourself a large sum of money -> split it up into two lending protocols -> use half to exhaust the liquidity of every Kyber reserve -> have only Uniswap active as a reserve and slam down the price of Uniswap -> make your trade against the bogus low price -> make a bunch of profit -> pass our collateralization check -> slam the Uniswap price up again with the other token in the trading pair using a loan from a lending protocol."

reactions

Now moving on to the proper solution. In this article, I talk about how a CDP platform for DeFi can solve the gateway problem using a decentralized oracle, so price feeding is harder to manipulate by an entity. As almost always in the crypto world, the best solution is a decentralized system that uses many sources to get a value. As an example, waykichain developed a decentralized oracle. They are using delegated proof of stake and Byzantine Fault Tolerance, similar to EOS and NEO. Their decentralized oracle allows block producers and other nodes, which has a large amount of staking coins to feed the price and other information to the blockchain. This will enable multiple sources to be the source to the blockchain and the moving median value will be adopted as the final value. A quick communication with the waykichain CTO Richard Chen on telegram revealed that he has filed an IP patent for their distributed price oracle mechanism and it is pending to be published in China. The bzx DeFi platform compound was exploited, because their oracle fulcrum was centralized and vulnerable and innovations such as this patent pending solution are desperately needed.

reactions

Contact me:

reactions

Tags