How a genius hacker made $350,000 exploiting DeFi

One "decentralized" protocol is now using its admin key to redeem lost funds. And this shows the bigger problem with DeFi.

4 min read

In brief

  • Someone exploited various DeFi protocols to take home $350,000 in profits.
  • Fulcrum claims that none of its users has lost any money.
  • Fulcrum will now use its "admin key" to access some of the hacker's funds.

A smart trader has exploited various protocols in the decentralized finance (DeFi) space to net a whopping $350,000 in profits.

As Decrypt reported yesterday, a clever set of instructions—all executed in one big transaction—enabled someone to leverage current weaknesses in the DeFi ecosystem for their own gain. By using several decentralized financial tools, and a small dose of price manipulation, they were able to take home a lot of Ethereum.

Julien Bouteloup, founder of DeFi investment firm Stake Capital, has put together this image to show just how complicated the multi-layered transaction was. And he lays out roughly what happened.

He specified that a flash loan of 10,000 ETH was probably to blame. Half of it went into lending platform Compound to borrow wrapped BTC (a version of Bitcoin on Ethereum). The rest was collateral for shorting—betting the price will go down—that wBTC on margin trading platform Fulcrum. The account then sold the wBTC on decentralized exchange Uniswap. The price went down, so the hacker cashed out the short at a profit and paid back the initial loan.

But not only has the hacker exposed how a variety of DeFi tools can be used together to net a somewhat unethical profit, he or she has highlighted just how centralized some of these DeFi tools are.

Fulcrum uses its 'admin key'

Yesterday, bZx, which maintains the Fulcrum protocol, posted an update on the situation. It claimed that none of the users on its platform has lost any money.

"All users have ZERO losses. Last night there was a widely reported attack that took place against our protocol. From the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other," it tweeted.

The platform went on to say that the attacker left $600,000 of wrapped Bitcoin on the exchange. And it plans to take this money and distribute it to other users of the exchange.

But, to do so, it will need to use its "admin key."

"There is currently 600k of wBTC collateral left by the attacker. We will be using this to stream interest and exit liquidity to existing iETH holders. This will be done using our admin key. This is an extremely difficult decision for us that we don't take lightly," bZx added.

Essentially this admin key is hard baked into the protocol and allows bZx to control any of the smart contracts—where the funds are kept—as a last resort. The purpose of the admin key is precisely for one of these moments, where something has gone wrong and there is a lot of money at stake.

But the admin key is proof there is a centralized point of failure and that users have to trust the team behind the exchange not to steal everybody's money. Considering that the entire purpose of DeFi is to remove this trust, it seems to be a rather major weakness.

It's not surprising that DeFi protocols want to have a failsafe. Ethereum's biggest experiment, The DAO—which at one point contained nearly 14% of the entire supply of Ethereum—broke down due to a bug in two lines of code. As a result, the entire Ethereum blockchain was rewritten so everyone could get their money back. But it undermined the network, and drew a lot of criticism.

This time, Fulcrum will use its admin key to save the day, but—by exposing how centralized it really is—it creates more questions than answers.

Copy article link

Want to be a crypto expert? Get the best of Decrypt straight to your inbox.

Get the biggest crypto news stories + weekly roundups and more!