DeFi Trust Crisis: Rethinking the bZx Incident

Text: 嚯 嚯 Source: Hive Finance

Editor's Note: Original title was "DeFi Trust Crisis"

Six days have elapsed since the assets of the DeFi loan agreement bZx were stolen, and the crisis of trust that has grown has not subsided.

On February 15th and 18th, the attacker used the "contract loophole" of the DeFi loan agreement bZx twice, and successfully "arbitrage" nearly one million US dollars in less than 15 seconds.

Although the bZx protocol developers used emergency management permissions to successfully lock some of the proceeds of the attacker, opening the operation with a one-click pause function also caused market doubts.

Not only that, the day of the second bZx attack, the value of locked assets in the DeFi ecosystem fell by $ 142 million within hours, and the trust crisis in the DeFi ecosystem broke out.

Some see this as a "DeFi death knell," and others see it as a throbbing growth. The undeniable fact is that the bZx incident has made the currency circle notice the DeFi ecosystem that has not yet formed a climate. At the same time, it also brought a warning to every entrepreneur who is engaged in the development of DeFi applications.


bZx attacker arbitrage nearly three million dollars in three days

"Anonymously borrowing someone else's money to attack the project and finally return it, which is impossible in the traditional financial system." On February 24, Richard Ma, co-founder of smart contract audit company Quantstamp, said on Twitter There was a lot of discussion on it.

Six days have elapsed since the assets of the DeFi loan agreement bZx were stolen, and the negative effects of the incident continue.

On February 15, in less than 15 seconds of Ethereum unit block time, an attacker used the "contract loophole" of the DeFi loan agreement bZx to call the smart contract mechanism back and forth between 5 DeFi products and succeeded at zero capital cost " "Arbitrage" was worth $ 350,000 in tokens. Three days later, bZx suffered a similar attack again, and the $ 640,000 token was successfully stolen.

"The root cause of the two attacks was because the decentralized trading protocol Uniswap shared the price of the trading pair in the pool. When the attacker manipulated the market price in multiple ways, arbitrage space will be created." Slow fog security team Yudan told Hive Finance.

Taking the first arbitrage as an example, the "attacker" first deposited 5,500 of the 10,000 Ethereum borrowed into the mortgage loan DApp Compound, and lent 112 WBTCs. WBTC is Bitcoin's tokenized token, and the exchange ratio with Bitcoin is 1: 1.

After that, the attacker took 1,300 out of the remaining 4,500 ETH, deposited it into the loan agreement bZx, and lent out 5,637 ETH with 5 times leverage, and then exchanged for WBTC immediately. Because bZx is connected to the token trading protocol Kyber, which can be linked to the WBTC trading pool in the decentralized trading protocol Uniswap, causing the WBTC price to be pulled up.

The attacker obtained 51.34WBTC through a series of operations, but this step has not yielded any benefits. At this point, the price of WBTC has more than tripled on Uniswap.

Arbitrage takes place in the last step. The attacker loaned 112 WBTCs from Compound and sold them at a high price of bZx, which resulted in 6871.4 ETH. Not only cleared the original debt of 5,000 ETH, but also successfully arbitrage about 1271 ETH. At the time, the ETH 280 USD price calculated. The profit is about 350,000 US dollars.

Attacker Arbitrage Diagram

Yudan believes that "in the DeFi ecosystem, price sharing should be a good thing. Everyone shares a market to prevent other inconsistencies in the price of each DeFi application and other risks. But it also introduces excessive dependence on third-party prices. Question. When third-party price markets are manipulated, DeFi projects that rely on these third-party data may suffer losses. "

Among the many discussions triggered by the incident, many people regarded the attack as a precise ambush against the ecological problems of DeFi. Although the amount of losses in the two attacks was not equal to the scale of the first theft of the centralized exchange, the difference between the two attacks on bZx was only 3 days. The security issue of the DeFi project raised concerns among the industry and users.

DeFi ecological lock-in assets evaporate $ 200 million

On February 18, the day bZx was attacked again, according to statistics from analysis platform DeFi Pulse, the value of locked assets in the DeFi ecosystem fell by $ 142 million within hours.

DeFi ecology locks assets down to $ 1.08 billion

Data show that at the beginning of this month, the total value of the assets locked in the DeFi agreement exceeded the US $ 1 billion mark for the first time, and reached a record high on February 15th, reaching US $ 1.22 billion. After the bZx incident, the value of locked assets in the ecology has fallen from a high point to the current 1.072 billion US dollars.

The bZx incident has led to a crisis of trust in the DeFi ecosystem. "Everyone is afraid that the locked assets will be lost." Some insiders said.

Today, bZx protocol developers have adopted emergency management permissions and successfully locked some of the attacker's revenue. However, the operation of the project party with the "one-click pause" function has caused market questions-is this contrary to the concept of decentralization? Some people believe that this exposes the entire Defi ecosystem to "original sin."

"That's why I don't believe in DeFi." Litecoin founder Charlie Lee tweeted that most DeFi can be closed by a centralized department, so it's just a decentralized "theatre", "Unless we add more centralization, no one can avoid hacking or exploits."

Faced with external doubts about the DeFi ecosystem, Yang Mindao, founder of Blockpower, an institutional investor who has watched DeFi ecosystem for a long time, gave another interpretation. He told Hive Finance, "I prefer open finance than DeFi decentralized finance. Open finance is characterized by openness, transparency, and minimal trust. Decentralized permission management does not mean To centralize operations. "

Yudan also holds the same view. He believes that the outside world should not deny the entire DeFi ecosystem with regard to this security incident. "DeFi's original intention was to open finance. The launch of a DeFi product also means that there are many unknown risks. And the administrator of the project side is private. The key is the last firewall after the 'Black Swan' incident. This administrator's operation is also public on the chain, and the public can monitor it through on-chain transactions. "

Yudan believes that as long as the project party makes reasonable use of such super permissions in the future, it will be conducive to better development of the project to a certain extent, and when such centralized super permissions are introduced, such permissions can be decentralized. Use multiple signatures to reduce the risk of evil within the project. "


DeFi market triples in size, meets security challenges

The bZx incident has been buzzing in the currency circle. Some people regard it as the "DeFi death knell", and some people see it as the throes of growth. But this attack also made the currency circle begin to show interest in DeFi ecology and applications. "If you don't learn Defi, you really can't keep up with the rhythm." Some practitioners in the industry expressed emotion when forwarding the bZx incident.

If 2018 is the beginning of DeFi, then the past 2019 can be called the first year of DeFi development. According to DAppTotal data, the total value of DeFi's hedging across the industry has increased significantly, from $ 302 million on January 1, 2019, to $ 931 million at the end of the year, an increase of nearly 300%.

DeFi is short for Decentralized Finance, also known as open finance.At present, it is mainly active in the Ethereum network ecosystem. After two or three years of exploration and development, stable coins, lending platforms, and derivatives have been derived. Financial forecasting market, insurance, payment platform and other financial innovations.

Central system control and regulation of the financial system is an existing mainstream state. DeFi hopes to establish a transparent, accessible, and inclusive peer-to-peer financial system through a distributed open source protocol to minimize trust risks.

At present, DeFi has appeared in the Ethereum network with high-profile applications such as MakerDAO and Compound, and there are already platforms such as EOSREX on the EOS network.In addition, many emerging public chains such as Cosmos, Polkadot, and Nervos have stated that they will Focus on the deployment of DeFi.

DeFi Application Head Ranking

However, the bZx incident has made the outside world aware that DeFi, which is committed to solving the risk of centralized financial trust, is also facing a trust crisis due to security issues.

"MakerDAO was not affected by this incident." Pan Chao, the China head of the project, told Hive Finance that such attacks are not effective against MakerDAO. "Because Dai does not rely on DEXs in the algorithm reserve pool to provide liquidity, there is no Use the DEX price as the oracle feed price. "

Pan Chao believes that the bZx incident also brought a warning to every DeFi practitioner. When designing products, carefully consider other protocols that are connected, because these external protocols may hide risks and affect their own systems. "DeFi itself is not The problem is the coupling between the protocols. ”Pan Chao also pointed out that the vulnerability of the bZx attack this time is not valid for an independent single protocol, but the connection of several protocols will generate arbitrage risks. Users should choose the one that has been tested over time product. "

As the DeFi market continues to grow, it also brings new challenges to industry security. Because if the DeFi ecosystem is a transparent financial pool that everyone can see, then hackers must also be one of the peepers.

Interaction time

After bZx, will you still use the DeFi app?