Exploit During ETHDenver Reveals Experimental Nature of Decentralized Finance

DENVER – Decentralized finance (DeFi) project bZx has suffered an attack in which a hacker successfully gamed multiple DeFi protocols to extract $350,000 from the platform, about 2 percent of the assets under management.

In response, the company took down its lending and trading protocol Fulcrum at 7:00 UTC. The company was presenting at ETHDenver during the hack. The hackers took advantage of the company's pricing oracle to trick the protocol into giving up the cash. bZx depended on only one oracle for pricing, according to sources.

The firm, which has yet to reappear at EthDenver, later confirmed in a tweet it will compensate lenders for potential losses.

The attack could be symptomatic of a continuing issue in DeFi, said Chainlink CEO Sergey Nazarov at the event: how to source price information.

The attack was even more notable because of its timing as the team had to deal with the hack during the ethereum community’s EthDenver hackathon, which largely focuses on DeFi.

Nazarov said sourcing price data from one oracle – services that collect and issue on-chain price information – remains problematic and one DeFi teams are still working out, although its relation to this issue has yet to be firmly established, he added.

“You can’t rely on [only] one oracle connected with an exchange API,” Nazarov said.

Staked CEO Tim Ogilvie, which operates a working relationship with bZx, said the loss amounts to an expensive bug bounty and highlights the novelty of flash loans, a new DeFi feature that allows traders to borrow and return funds in short windows the hacker leveraged for the attack.

According to Ogilvie, the attacker borrowed 10,000 ETH, worth approximately $2.67 million, in a flash loan.

The attacker then split the borrowed funds, sending 5,000 ETH to DeFi protocol Compound and the other half to bZx. After the deposits, the attacker shorted wrapped bitcoin (WBTC) on bZx quickly followed by borrowing 112 WBTC on Compound, worth about $1.1 million, and selling the borrowed WBTC on UniSwap, another DeFi market, said Ogilvie.

Ogilvie said, which the firm denied on Twitter, that bZx uses UniSwap’s price feed for WBTC. When the attacker dropped the $1.1 million worth of WBTC on UniSwap, the bZx short became extremely profitable, said Ogilvie.

“The question for DeFi is, what's safe? How do you create a safe and secure set of [price] oracles that actually do things? People use different approaches and you can choose the wrong way,” Ogilvie said.

“There are big risks. It's a new category, it's moving fast and that means some things are going to break,” Ogilvie said.

The eighth-largest DeFi market according to DeFi Pulse, 16 percent of funds locked in bZx have been withdrawn from the protocol in the past 24 hours.