DeFi protocol bZx says it lost funds via a margin-lending exploit

A complex exploit was the talk of ETHDenver Saturday morning as DeFi protocol bZx scrambled to figure out what happened.

4 min read
System vulnerabilities are still a work in progress in DeFi

DENVER—On Friday, ETHDenver emcee Hudson Jameson called Tom Bean of bZx to the stage to give a talk called, “Leveraging DeFi with Fulcrum.” The protocol allows developers to build “applications that empower lenders, borrowers, and traders with the most flexible decentralized finance protocol on Ethereum.”

But after calling Bean to the podium, Jameson was met with awkward silence. So he tried again, killing time with—what else?—jokes about TRON. But Bean never showed.

Bean’s absence was an inauspicious sign of things to come for the network he created.

Fulcrum taken down for maintenance

Last night, Fulcrum, bZx’s margin-trading platform, was taken down for “maintenance” in the wake of an attack—or perhaps just a really clever series of transactions—that left it $350,000 short. Bean’s co-founder, Kyle Kistner, posted to bZx’s Telegram group on Saturday morning:

“There was an exploit executed against the contract. There was a portion of ETH lost. We have paused the contract except for lending and unlending.” He continued, “No further funds are at risk.”

Fulcrum was taken down for "maintenance."

The passive tense is telling—Fulcrum lost the ETH, but in these early stages it’s still unclear who’s on the hook. At least $350,000 worth of ETH is believed to be lost, according to DeFi Pulse, all from a single string of transactions. DeFi Pulse indicated that a flash loan of 10,000 ETH was probably to blame. Half of it went into Compound to borrow wrapped BTC. The rest was collateral for shorting that wBTC on Fulcrum. The account then sold the wBTC on Uniswap. The price went down, so they cashed out the short at a profit and paid back the initial loan.

A malicious attack, or a well-executed bit of arbitrage?

If you’re not following, the key point here is that no one can even agree on whether this was a malicious attack or a well-executed crypto arbitrage trick.

“Just because your code works does not mean your system is secure.”

The still-unfolding incident was subsequently discussed at ETHDenver on Saturday morning. Taylor Monahan, CEO of MyCrypto, a blockchain interface tool, was giving a talk titled Risky Business about the risks of relying on smart contracts in decentralized finance.

She subtweeted the exploit from the main stage, saying, “We refuse to learn how to make our smart contracts secure.” To her, it was irrelevant if it was a hack or market manipulation. It’s indicative of the inherent risks of decentralized finance. "Just because your code works does not mean your system is secure,” she said.

Others reacted to the attack differently. Tim Ogilvie, CEO of Staked, had been sitting next to the bZx booth all Friday. His business has leveraged Fulcrum, and though he was confident their funds were safe, he was still anxious to hear more about the attack. The bZx booth was noticeably empty.

DeFi: a grand experiment

Ogilvie was nonetheless optimistic. He told Decrypt on Saturday morning, “DeFi is an experiment….I think this is the maturation process for DeFi. You have to get battle-hardened, and if somebody puts out a product that has vulnerabilities, someone else is going to exploit it and that’s part of the system getting stronger.”

Later Saturday morning, bZX took to Twitter to update users. The battle hardening process had apparently begun, though the lost ETH was a hard lesson. bZx wrote:

“Due to the complexity of the transaction, providing a comprehensive accounting of the losses will require additional time. This was not a simple Uniswap attack, and we do not use Uniswap as an oracle.” The company said it had “deployed a contract upgrade that we believe will make our system more robust against these type of actions in the future.” It indicated the upgrade would be effective before the end of Saturday.

Meanwhile, Monahan concluded her talk by reassuring attendees to understand the risks they and their users are taking as they tool around with DeFi. “Experimentation is valuable,” she said, “but we need to do it in a safe way.” She then ceded the stage to stick to schedule. Kistner was set to appear in a panel on DeFi composability. “What’s next?” it asked.

Copy article link

Want to be a crypto expert? Get the best of Decrypt straight to your inbox.

Get the biggest crypto news stories + weekly roundups and more!