- A trader has exploited several decentralized finance protocols again, for a further $645,000.
- That brings the total taken over the past week to $1 million.
- BZx has temporarily shut down the platform, suggesting it's not decentralized after all.
A trader has again exploited a number of decentralized finance (DeFi) tools, to take home a large amount of Ethereum (ETH). After netting $350,000 on Valentine’s Day, he or she has now taken a further $645,000—a total just shy of a million dollars.
The theft happened in the same way. A clever set of instructions—all executed in one big transaction—enabled the trader to leverage current weaknesses in the DeFi ecosystem for their own gain. By using several decentralized financial tools, and a small dose of price manipulation, they were able to take home a lot of Ethereum.
Though the trader’s identity remains unknown, the modus operandi was the same as the last hack, suggesting the same person.
The main focus was on bZx, which maintains the Fulcrum protocol. In the company’s Telegram chat, bZx’s co-founder, Kyle Kistner, confirmed the second attack, writing that it appears to be “an oracle manipulation attack.” An admin in the channel claimed that user funds are safe.
We have hit the pause button on the protocol again in light of suspicious transactions using flash loans and trading on Synthetix.
— bZx (@bzxHQ) February 18, 2020
On Twitter, the company said that it has paused the “decentralized” protocol again. The DeFi community were quick to point out this means that bZx still has ultimate control over the protocol, meaning it’s still a centralized system.
Eric Wall, CIO at Arcane Assets, defended the DeFi ecosystem, arguing that some protocols are more decentralized than others. He argued that there are several types of admin keys: those that can control funds—such as the ones bZx has—and those that can’t.
“A DeFi admin key can allow you to pause/freeze a contract. This is very bad! Oh no! But it's not identical to a centralized exchange unless that admin key allows you to confiscate individual user balances,” he tweeted.
Tweets like "DeFi apps are no different than centralized exchanges because all the contracts have admin keys" is the cheap, boring fast-track to "CT wokeness" these days, forcing me to take the devil's advocate and point out why that's sometimes wrong. Warranted retort:
— Eric Wall IS RIGHT (@ercwl) February 17, 2020
So, it’s good that at least some DeFi protocols don’t have such admin keys—because otherwise Ethereum co-founder Vitalik Buterin would probably want them to “burn in hell.”