DeFi Monthly Report | bZx incident rethinking, what do DeFi oracles, insurance, and governance do?

According to the data of Dapp Total, the total value of the 36 DeFi application lock positions has been calculated at USD 1.34 billion, of which the ETH lock position is 3.71 million, accounting for 3.37% of the total ETH supply; EOS lock position is 6.94 million, accounting for EOS total supply is 6.83%. The three items with the highest proportion of locked-up value distribution are: Maker, EOS REX, and Edgeware, accounting for 35.72%, 17.92%, and 12.47%, respectively. Screenshots Feb 29, 2020 10.58.35 AM

DeFi lock-up amount reached a record high of $ 1.76 billion on February 14. But after bZx was attacked for the first time on the 15th, the lock-up data began to fall.

Screenshots February 29, 2020 11.06.16 AM

This month's DeFi event can be summarized as a series of attacks on the DeFi platform and their thoughts on lightning loans, oracles, insurance, and governance.

1. DeFi platform is under attack, contract security raises thoughts

DeFi is actually a relatively niche circle, but as it becomes more and more popular, it has attracted the attention of hackers. Following the bZx incident, many attacks on the DeFi platform may occur.

Here are a few unusual events that occurred on the DeFi platform this month.

Loan agreement bZx: This month suffered two attacks. The attacker wore a white wolf with an empty glove , and the arbitrage exceeded ten million seconds. There have been too many articles about this incident, so I won't go into details here. Click on the article to review: "Don't blame" Lightning Loan ", bZx is attacked by the real murderer" .

Synthetix, a synthetic asset issuance platform: The "snapshot vulnerability" of this protocol allows users to receive platform rewards while avoiding the risks that they would have to bear. Synthetix will fix the vulnerability in the next version of Betelgeuse, and reward 2 million SNXs to give accounts on the network who have not exploited the "snapshot vulnerability".

Curve , a stablecoin trading platform: When an abnormal transaction occurred, the hacker exchanged USDC worth USD 89,000 for BUSD valued at USD 465,000. The attack method is to use Zap provided by iearn.finance in cooperation with Curve. When the capital pool busd.curve.fi was not formally announced, an oversized transaction was made, and the Zap contract did not check for slippage. Fortunately, the team contacted a giant whale trader to artificially intervene to balance the fund pool after detecting the anomaly, without causing any financial loss.

Insurance alternative startup Nexus Mutual: Two security researchers discovered vulnerabilities similar to the bZx bug in the Nexus Mutual protocol, and vulnerabilities related to Nexus Mutual's governance system. Nexus Mutual has solved it properly and paid a $ 7,000 bonus to researchers who discovered the vulnerability.

Debit and credit agreement dYdX: Under this week's large fluctuations in currency prices, users' short loans and rush clearing operations have led to a surge in the number of dYdX platform activities, resulting in delays in transaction processing speed. This is not a loophole, but if it occurs in a centralized exchange, it is also a major problem that cannot be ignored. At present, the DeFi platform has generally not experienced the test of the big market.

2. Is "Lightning Loan" an angel or a devil?

After the bZx protocol was attacked, "Lightning Loan" became the target of public criticism, and 3 articles are recommended for everyone.

Part 1: "A Comprehensive Interpretation of Lightning Loans: Why Will Lightning Attacks Become the New Normal? " , This article carried out a science popularization of" Lightning Loan "and explained its original intention and the security issues that may be brought to the DeFi platform in the future.

Part 2: "Lightning Loan: New DeFi Project Gameplay, How to Attack MakerDao for $ 700 Million" , the author of this article puts forward a very important warning, if no delay in the new governance contract is introduced, anyone can steal it All Maker's collateral and use Lightning Loans to issue any number of Dais. Maker has voted on February 21 to launch the Governance Security Delay Module to prevent attacks.

Part 3: "Vitalik: Uniswap v2 Price Predictor Can Resist Lightning Loan Attack" , this article was written by Guillermo Angeris, a member of the security analysis platform Gauntlet and a doctoral student at Stanford. After bZx was attacked, Ethereum co-founder Vitalik Buterin retweeted, saying "the planned Uniswap v2 price predictor design is able to withstand the recent lightning loan attack."

3. What kind of oracles does DeFi need?

Due to the bZx event exposing the problem of the feeding mechanism, bZx also announced the addition of a new oracle platform ChainLink as one of the price sources after the first attack.

On the 11th of this month, Chainlink stated that it would launch the "Meta Oracle" function for the DeFi project, combining on-chain and off-chain data. Chainlink said that it is already possible to access reliable data sources off the chain in a decentralized manner through smart contracts, and "Meta Oracle" will aggregate data on all chains.

However, on February 23, Chainlink announced that XAG / USD suffered a loss of less than $ 40,000 due to a feeding failure of up to 6 hours. The accident was caused by a function upgrade and is now back to normal.

"What is the oracle needed for DeFi? 》 This article is recommended for everyone to read.

4. Insurance-DeFi's last protective wall

It can be seen that there are no absolutely secure contracts, only vulnerabilities that have not yet been discovered. The DeFi platform will face more security challenges in the future. At this time, insurance constitutes the last protective wall of the DeFi platform. For example, after bZx was attacked, the insurance project Nexos Mutual believed that the damage caused by the attack was eligible for compensation, so it established a compensation procedure for its victims, which will be implemented as the first compensation case.

On the 13th of this month, the decentralized financial risk management platform Opyn also announced the launch of insurance services for Compound deposits. If the Compound contract is attacked, users can still get back the principal and interest. Opyn is not essentially an insurance platform, but a two-way market consisting of put options. Opyn will build an insurance layer for the crypto economy and build on the Convexity protocol.

Also recommend an article: "The patron saint of DeFi: talk about the new track" insurance ""

5. Compound plans to issue coins to improve governance mechanism

After bZx was stolen, funds flowed to Compound, and there was a discussion about whether Compound should use the administrator key. In fact, many DeFi protocols will leave administrators' backdoors, including bZx, Dharma, Synthetix, Aave, dYdX, etc., so that the development team can optimize when contract vulnerabilities occur. But when can the backdoor be activated and whether it violates the concept of decentralization is always a question.

I don't know if it is related to bZx time. On February 27, Compound announced the launch of the governance token COMP. The testnet of its experimental governance platform was launched on the same day, and a trial version of its governance token COMP was provided. The governance codebase has been uploaded to Github and has been audited by OpenZeppelin. Additional security audits are ongoing and will be released shortly.

Compound said that the company tokenized its DApp, but not to raise more funds in this way, but to strengthen the community's governance capabilities. COMP will not be open to the public until decentralization is complete. Compound employees, founders, and investors will receive a portion of the tokens, and another portion will be distributed on Ethereum in a way that the company has not yet revealed. After all this is done, the token holders will jointly run Compound.