Genius hacker exploits DeFi again, takes $1 million in total

A trader has again exploited a number of decentralized finance (DeFi) tools, to take home a large amount of Ethereum (ETH). After netting $350,000 on Valentine’s Day, he or she has now taken a further $645,000—a total just shy of a million dollars.

The theft happened in the same way. A clever set of instructions—all executed in one big transaction—enabled the trader to leverage current weaknesses in the DeFi ecosystem for their own gain. By using several decentralized financial tools, and a small dose of price manipulation, they were able to take home a lot of Ethereum.

Though the trader’s identity remains unknown, the modus operandi was the same as the last hack, suggesting the same person. 

The main focus was on bZx, which maintains the Fulcrum protocol. In the company’s Telegram chat, bZx’s co-founder, Kyle Kistner, confirmed the second attack, writing that it appears to be “an oracle manipulation attack.” An admin in the channel claimed that user funds are safe.

On Twitter, the company said that it has paused the “decentralized” protocol again. The DeFi community were quick to point out this means that bZx still has ultimate control over the protocol, meaning it’s still a centralized system.

Eric Wall, CIO at Arcane Assets, defended the DeFi ecosystem, arguing that some protocols are more decentralized than others. He argued that there are several types of admin keys: those that can control funds—such as the ones bZx has—and those that can’t.

“A DeFi admin key can allow you to pause/freeze a contract. This is very bad! Oh no! But it's not identical to a centralized exchange unless that admin key allows you to confiscate individual user balances,” he tweeted.

So, it’s good that at least some DeFi protocols don’t have such admin keys—because otherwise Ethereum co-founder Vitalik Buterin would probably want them to “burn in hell.”