bZx Attack Shows DeFi Has The Same Vulnerabilities as Traditional Finance

Credit: Peckshield

One of the conceits of Decentralized Finance (DeFi) is that it is different from traditional finance. The concept of a finance ecosystem governed by smart contracts, devoid of rent-seeking centralized institutions, is an enticing one.

But two comprising situations on a decentralized finance protocol last week threw the nascent nature of the so-called DeFi ecosystem into sharp relief. It also showed that, shorn of technical buzzwords, the DeFi system is susceptible to the same vulnerabilities as its more traditional counterpart.  

What Happened?

bZx is a decentralized finance protocol or a platform for building applications or financial services businesses, such as lending and borrowing. Both so-called attacks, as the crypto press has dubbed them, originated on bZx and arbitraged the price differences between different DeFi protocols. They involved flash loans (or loans without collateral) of Ethereum’s cryptocurrency ETH, token price manipulations by using the loaned ETH as collateral to borrow tokens with thin liquidity volumes on another protocol, and, in one case, a simple technology hack that enabled the attacker to profit from price differences for the token between different DeFi protocols.

In the first attack, which occurred on Valentine’s day, the hacker manipulated the price of sUSD, a token used at Synthetix – a decentralized asset platform, by shorting it. They succeeded in making away with 1271 ETH, or approximately $325,376 based on today’s ETH rates. The second attack involved shorting of wBTC (Wrapped Bitcoin) using Ethereum and depleting its reserves to drive price higher. The trader is supposed to have made an estimated profit of $355,880 from the short. In both cases, the high price of tokens should have triggered a position call for more collateral but that didn’t happen due to a bug in the smart contract code. You can read a detailed description of the attacks in this Medium post from Peckshield, a blockchain security company.

There’s Nothing to See Here

There has been much hand-wringing over the attacks within the DeFi ecosystem. Some have blamed the “composability” of DeFi. In simple words, this refers to the interconnected nature of such products, where technology and trades are joined at the hip through smart contracts. However, to call this development a novel concept is disingenuous. Arbitraging away price differences between different platforms is a clever, albeit often used, strategy to make money in markets.  

The team at bZw has blamed the second attack on Oracle manipulation of its price feeds, which resulted in time lags. That is a curious explanation, considering that the concept of blocks in a chain involves tamperproof timestamps. Post attack, bZx has announced plans to implement Chainlink oracles to supplement price feeds from Kyber protocol, a platform that provides liquidity for swaps on Ethereum’s platform. (Interestingly enough, researchers earlier showed that the price of LINK token used in Chainlink’s network was inflated due to a pump and dump scheme).

More Problems Ahead

While the technical problems are solvable, they also draw attention to the more basic problems plaguing the crypto ecosystem. For example, low liquidity levels enabled easy price manipulations through a limited amount of Ethereum.

The hack also highlights the ever-present tension in a system that is purportedly decentralized. To stem the attack’s repercussions, the bZx protocol team paused trading and borrowing on the platform, affecting activity for all other customers. The decision was a unilateral one, taken without consultation of other stakeholders and application owners on the platform. In traditional finance, this would be the equivalent of a brokerage halting all trades and withdrawals due to problems with a single trade. In a post, the bZw team said it was evaluating governance structures to enable collaborative decisions in the future.

There’s also the problem of viable venues to ascertain token price. The SEC has repeatedly drawn attention to this problem in its rejection of Bitcoin ETFs.

As of this writing, Coinmarketcap lists prices for an astounding 5140 cryptocurrencies sourced from 20,682 markets. A majority of these currencies are thinly-traded and do not have substantial volumes. Their place within a decentralized ecosystem of smart contracts is, as yet, undefined. Last week’s events may have provided a glimpse into the future of a system populated with thousands of thinly-traded digital currencies.