How a genius hacker made $350,000 exploiting DeFi

A smart trader has exploited various protocols in the decentralized financedecentralized finance (DeFi) space to net a whopping $350,000 in profits.

As Decrypt reported yesterday, a clever set of instructions—all executed in one big transaction—enabled someone to leverage current weaknesses in the DeFi ecosystem for their own gain. By using several decentralized financial tools, and a small dose of price manipulation, they were able to take home a lot of Ethereum.

DeFi protocol bZx says it lost funds via a margin-lending exploit

DENVER—On Friday, ETHDenver emcee Hudson Jameson called Tom Bean of bZx to the stage to give a talk called, “Leveraging DeFi with Fulcrum.” The protocol allows developers to build “applications that empower lenders, borrowers, and traders with the most flexible decentralized finance protocol on Ethereum.” But after calling Bean to the podium, Jameson was met with awkward silence. So he tried again, killing time with—what else?—jokes about TRON. But Bean never showed. Bean’s absence was an inausp...

Julien Bouteloup, founder of DeFi investment firm Stake Capital, has put together this image to show just how complicated the multi-layered transaction was. And he lays out roughly what happened.

He specified that a flash loan of 10,000 ETH was probably to blame. Half of it went into lending platform Compound to borrow wrapped BTC (a version of Bitcoin on Ethereum). The rest was collateral for shorting—betting the price will go down—that wBTC on margin trading platform Fulcrum. The account then sold the wBTC on decentralized exchange Uniswap. The price went down, so the hacker cashed out the short at a profit and paid back the initial loan.

But not only has the hacker exposed how a variety of DeFi tools can be used together to net a somewhat unethical profit, he or she has highlighted just how centralized some of these DeFi tools are.

Fulcrum uses its 'admin key'

Yesterday, bZx, which maintains the Fulcrum protocol, posted an update on the situation. It claimed that none of the users on its platform has lost any money.

"All users have ZERO losses. Last night there was a widely reported attack that took place against our protocol. From the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other," it tweeted.

The platform went on to say that the attacker left $600,000 of wrapped Bitcoin on the exchange. And it plans to take this money and distribute it to other users of the exchange.

But, to do so, it will need to use its "admin key."

"There is currently 600k of wBTC collateral left by the attacker. We will be using this to stream interest and exit liquidity to existing iETH holders. This will be done using our admin key. This is an extremely difficult decision for us that we don't take lightly," bZx added.

How Bitcoin is coming to Ethereum, again

Bitcoin has been tokenized on the Ethereum blockchain again. This time it’s interoperability solutions provider Summa and the Keep Network, a privacy layer for Ethereum (ETH), building the token, called tBTC. On Thursday, it debuted on Ethereum’s testnet, and a mainnet launch is planned in March. The project hopes to bring Bitcoin (BTC) into the Decentralized Finance (DeFi) industry. Could this be the most important project to launch on Ethereum in 2020?  tBTC might be the most important projec...

Essentially this admin key is hard baked into the protocol and allows bZx to control any of the smart contracts—where the funds are kept—as a last resort. The purpose of the admin key is precisely for one of these moments, where something has gone wrong and there is a lot of money at stake.

But the admin key is proof there is a centralized point of failure and that users have to trust the team behind the exchange not to steal everybody's money. Considering that the entire purpose of DeFi is to remove this trust, it seems to be a rather major weakness.

It's not surprising that DeFi protocols want to have a failsafe. Ethereum's biggest experiment, The DAO—which at one point contained nearly 14% of the entire supply of Ethereum—broke down due to a bug in two lines of code. As a result, the entire Ethereum blockchain was rewritten so everyone could get their money back. But it undermined the network, and drew a lot of criticism.

This time, Fulcrum will use its admin key to save the day, but—by exposing how centralized it really is—it creates more questions than answers.