Earlier today, reports emerged that bZx – the eighth largest DeFi protocol by Total Value Locked (TVL) was compromised and a significant amount of Ethereum (ETH) contained was lost. The bZx protocol powered Fulcrum trading platform was frozen for further activity (except for lending and unlending) and the team announced that they are investigating the matter.
However, it is important to realize the fact that while the protocol was exploited, it wasn’t “hacked” or “compromised” in any other way. The smart contract code (Fulcrum Perpetual Short ETH-WBTC) functioned as intended, it was however a “well thought out manipulation”. The price of WBTC was manipulated, using loans given by the platform, to profit later from a short position.
0/ The DeFi Score team @ConsenSysCodefi is tracking the recent @bzxHQ vulnerability. Details are still emerging, but it looks like it wasn’t a smart contract hack, but a manipulation of the @UniswapExchange market that bZX uses as an oracle.https://t.co/1LRp3xfuK6— Jordan Lyall – @ ETHDenver (@JordanLyall) February 15, 2020
What’s The bZx Protocol?
Launched in 2018 on Ethereum blockchain, bZx Protocol is a Decentralized Finance (DeFi) product which allows users to lend and trade, using margin and leverage. Its trustless and permission-less in nature. The protocol supports ETH, DAI, USDC, KNC, LINK, REP, WBTC and ZRX. Its native governance token is BZRX.
What Actually Happened On bZx?
The following information has been taken from the bZx Discord. The rogue actor first took out a 10,000 ETH ($2.7M) flash loan from dYdX (another DeFi protocol). Then invested 5,000 ETH in Compound (DeFi) and 5,000 ETH in bZx, before proceeding to borrow 112 WBTC from Compound, which was then used to short WBTC on bZx with 50/50 of the initially borrowed 10,000 ETH. The rogue actor then dumped 112 BTC on Kyber Uniswap to push down the price and profit from the short position. Pays back the original loan of 10,000 ETH to dYdX (the original contract is reported to have 1M ETH in Compound and 650K WBTC debt).
From bzx discord pic.twitter.com/D0BBPJHQtr— Kalpesh from cryptostoic.com (@KalpeshEm) February 15, 2020
The rogue actor was earlier reported to have made 350K USD profit, however bZx team reported that the determination of the actual loss is not possible at this time because of the comprehensive and complex nature of the transaction and manipulation vector.
1/ Due to the complexity of the transaction, providing a comprehensive accounting of the losses will require additional time. This was not a simple Uniswap attack, and we do not use Uniswap as an oracle.— bZx (@bzxHQ) February 15, 2020
All Funds Are Safe, No Lender Affected
bZx team announced that they are working on a fix (contract upgrade) after the exploit and will deploy it soon to secure the protocol against such attacks in the future. The Fulcrum network will be back online soon.
6/ We are adding additional measures to ensure that this does not happen again, which will be documented in the post-mortem. Fulcrum will be coming back online 10:30pm MST. Thank you for your patience and your support. It means so much to us.— bZx (@bzxHQ) February 15, 2020
It was also reported that all users have zero losses. Since, from the perspective of the protocol, someone took out a loan, which is like any other. There is currently 600K WBTC left as collateral by the rough actor, which will be used by bZx team to stream interest and provide exit liquidity to existing iETH holders.
Funds are SAFU:
1/*All users have ZERO losses*. Last night there was a widely reported attack that took place against our protocol. From the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other.— bZx (@bzxHQ) February 15, 2020
The bZx protocol’s official twitter account further announced that no lender will be affected by the attack so as long as the borrowing is permanent and the borrower is ensured to pay interest (currently paying high interest to lenders), the lending pool will continue to remain healthy.
2/ The liquidity conditions for ETH lenders is exactly the same as for any other pool. The loan pays interest just like any other loan. In fact, it is currently paying lenders a very high interest rate. As long as it is a permanent borrower, it is a great boon to lenders.— bZx (@bzxHQ) February 15, 2020