The recent bZx flash loan attacks have opened up a whole new debate. The back-to-back exploits at the ETHDenver conference have shown how DeFi is just as vulnerable as conventional networks. Even though both hacking events were different, the outcome was sheer losses. Around one million dollars in total were hacked by the attackers. So, what will happen to DeFi, and where do we go from here?
bZx flash loan attacks are just the beginning
bZx flash loan attacks have left a sour taste in the mouth of DeFi lovers. What was seen as an alternative financial revolution is now seen with lingering doubts. The faith in DeFi was first shaken on February 14th at ETHDenver Conference. The bZx team was celebrating their work when news of an attack froze their feet in the middle of the event. The suspicious transaction was acknowledged by the team, and the attack confirmed on their social media channels.
Funds are SAFU:
1/*All users have ZERO losses*. Last night there was a widely reported attack that took place against our protocol. From the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other.
— bZx (@bzxHQ) February 15, 2020
The team paused the alleged bZx contract midway, but some ETH were lost. Since bZx has an insurance fund, they were able to compensate the investors. The reputation, however, was tarnished. The bZx flash loan attacks were executed using a price manipulation mechanism. The attacker began by taking a 10K ETH loan on the dYdX platform. It was evenly distributed between two lenders namely bZx and Compound. One amount was used as collateral on another loan. The bZx amount was utilized for a short trade against ETH. Using Uniswap prices as a base, the price of WBTC was jacked up. Now, the WBTC was dumped at a higher price and made handsome profits. The dYdX loan was paid in full with the profits, and attackers made 1,193 ETH in profits, and bZx was left clueless with an under-collateralized loan.
Dangerous vulnerabilities of Flash loans
Crypto flash loans promise money without any collateral. Since the loan is repaid instantly, there is no need to have collateral. And that’s where bZx flash loan attacks originate. They were used in combination with smart contracts to create short term trades. The transactions are instantaneous, meaning they either happen or fail instantly. The lender funds are in danger throughout the process.
The bZx flash loan attacks are being blamed on the Oracle pricing manipulation. The volatility in the price was manipulated by the attackers to their advantage, giving them windfall profits. However, the bZx flash loan attacks cannot be classified as smart arbitrage since they used the bZx code bugs to execute the trades. This is not smart trading but mere hacking attacks. More importantly, these attacks tarnished the DeFi industry and put its reputation at stake.
Featured Image by Pixabay