Defi exchange bZx has been hit by a second flash loan exploit within a week, this time losing over $600,000 usd in ETH. This second attack in a matter of days, comes after bZx had just implemented a fix to prevent flash loan exploits.
Are Flashloans the real DeFi Killer?
1/ WHAT WE KNOW SO FAR: There was a second attack. This attack was completely different from the first. This time it was an oracle manipulation attack, a modified version of the original exploit we worked closely with @samczsun to fix: https://t.co/lDcyDQf44i
— bZx (@bzxHQ) February 18, 2020
Defi startup bZx has tweeted about a second attack using flashloans on the platform which allowed an “attacker” to exploit the platform with a smart contract which borrows funds with no collateral, and pays them back in the same transaction.
In between the steps of borrowing, and paying back the loan, an attacker can execute many steps in between that leverage DEXs and DeFi lending platforms, which are automatically carried out by smart contracts. It all happens instantly in one transaction.
In this most recent attack, the attacker was able to take advantage of flashloans and place several trades at once, arbitraging the low-liquidity of DEXs, and making a handsome profit.
In this case, the attacker borrowed 7,500 ETH on bZx, using half of the ETH he was able to purchase sUSD on Synthetix, another DeFi platform, and used the sUSD as collateral for a second bZx loan.
They then took 900 ETH and pumped sUSD to $2, on low liquidity DEX Kyber network, which had a price oracle integration with bZx. Afterwards, they borrowed another 6,796 ETH, paid the original loan of 7,500 ETH back and were able to pocket 2,378 ETH, netting $630,000 in profit.
All of this was able to be carried out in a single transaction, using the smart contract in a way developers did not intend, similar to the famous DAO hack. It really wasn’t a hack, it was more of an exploit of a poorly written and insecure smart contract.
When using a DeFi loan in a way that ETH people don’t like it’s an “attack”.
Just like how code was “law” before the DAO contract execution.
— grubles (@notgrubles) February 18, 2020
bZx is marketed as DeFi, but decentralized platforms don’t have a pause button
After the first attack on bZx, in which the platform lost $350,000 in ETH due to a similar exploit, the platform was shutdown and taken offline while developers tried to fix the contract so another exploit could not be executed by malicious actors.
The second attack, while not exactly the same, was similar enough, except that it attacked a price feed oracle. It seems Ethereum developers have not fully grasped the “oracle problem”.
The first attack caught the crypto community off guard as flashloans are a new product being offered by DeFi platforms. The second attack shows that very thorough audits of DeFi smart contracts are needed to prevent unintended smart contract interpretation.
The fact that bZx has been able to freeze the platform during both attacks shows that even though it is marketed as DeFi, ultimately it is a centralized platform. Devs were able to use an “admin key” to shut down trading on the platform.
Nick Szabo has labelled this faux-decentralization “decentralization theater” and it calls into question just how decentralized so-called DeFi platforms really are.
Is it really better than centralized financial alternatives, if it can still be shut down when a user takes advantage of smart contract features in a way that isn’t intended by the developers?
At least traditional finance has strict regulatory oversight to identify and prosecute bad actors, while DeFi does not. It is like the DAO “hack”, all over again.
What do you think of the latest bZx exploit? Let us know in the comments!
Images via Shutterstock, Twitter @bzxHQ @notgrubles