Inspiration from the bZx event: essentially more like a arbitrage manipulation using the DeFi protocol and products

Editor's Note: The original title was "Inspiration from the bZx Event"

The hacker's attack on bZx during the ETHDenver conference was like a precise ambush against DeFi. Although the amount of the loss was small, it obviously had some impact on the market situation over the past two days.

What is a bZx event?

Although many people call the bZx event an "attack event", it is more like a arbitrage manipulation using the DeFi protocol and products. "Attackers" make full use of the functions of DeFi's multiple protocols and products to obtain funds at a very low cost and realize profit by manipulating prices. The operation lasted more than ten seconds, which is the time of one block of Ethereum. It happened during the Ethereum block height 9484688 on February 15, 2020.

The whole operation is roughly as follows:

• ETHDenver, the largest Ethereum hacker in the U.S .: What are the continuous new projects for DeFi?
• Babbitt Column | Scientific Research Expenditure Model and Coin Development Fund Optimization Plan
• Technical Primer | Anatomy of Network Components in Libra

The first step is to borrow 10,000 ETH from dYdX through flash loan (Blue Fox Note: Flashloan, which can be borrowed without mortgage, but must be repaid within a block time).

In the second step, when the "attacker" got 10,000 ETH, it deposited 5,500 ETH into Compound as collateral, and lent 112 wbtc. This 112wbtc prepares for a subsequent sell-off.

The third step was to deposit 1,300 ETH into bZX, initiate a bZx margin transaction, borrow 5637.6 ETH, and obtain 51.3 wbtc through Kyber's Uniswap reserve, resulting in a huge slippage.

In the fourth step, the price of wbtc was more than tripled on Uniswap, and then the attacker sold 112wbct borrowed from Compound, which resulted in a return of 6871.4 ETH.

In the fifth step, the attacker returned a 10,000 dYdX flash loan. Then, the attacker's balance at this time is 71.4ETH. Among them, 6871.4ETH and unused 3200ETH add up to 10,071.4ETH. Therefore, after repaying the flash loan, 71.4ETH remains. In addition, the attackers still have positions in Compound and bZx. Among them, Compound has 5,500WETH collateral and 112wbtc debt, bZx has 4337WETH debt and 51wbtc collateral (bZx partly cannot). According to the market price, the attacker can redeem 112wbtc for about 4300ETH, so that means that the attacker returns 112wbtc (about 4300ETH) in return for 5500WETH, which is 1200ETH, and then adds 71.4ETH before, the attacker will make a profit At 1,271.4 ETH, at the time the price of ETH around 280 USD, the attacker made a profit of about 350,000 USD.

The other side of combinability without permission

DeFi is license-free and composable, and these "currency LEGOs" can support each other. The benefit is that products and services can be quickly built using other currency protocols. Starting with Maker's stablecoin Dai, it has constructed Compound's lending, Uniswap and kyber decentralized transactions, dydx margin transactions, pooltogether's crypto lotto, dAppHub's Chai token (Chai tokens are used to earn DSR interest Generated by Dai) … provides users with new open financial services.

This unique attribute belongs to DeFi, but it is also a double-edged sword. If one of the currency protocols fails, it will also affect other protocols or products. This zero-cost "attack" used functions such as flash loans, margin trading, mortgage lending, and decentralized transactions of different DeFi protocols and products. Among them, protocols and products are almost half of the DeFi field. DYdX, Compound, Uniswap / kyber, bZx, etc.

The "attack" was realized based on the composability of these license-free DeFi protocols and products. The power of this attack is that the attackers did not use their own funds and operated entirely through the use of DeFi protocols and products. The key is that flash loans do not require collateral, as long as they are repaid within an Ethereum block. Since there is no need to mortgage assets, this is also the key starting point for this bZx "attack" event to achieve the empty glove white wolf. In addition, the 5x margin transaction has led to the attacker being able to borrow a large amount of tokens at low cost. However, in order to finally achieve the goal, the "attacker" also needs to be achieved through price manipulation. The core of which is the price manipulation of WBTC / ETH. By pulling up WBTC (about 3 times the normal price), and then selling it to generate revenue.

In fact, this kind of incident is not the first time. Blue Fox Notes also mentioned the "attack incident" Synthetix "DeFi and the economic crisis in the crypto world".

Increased demand for decentralized oracles and DeFi insurance

Due to the potential security issues of DeFi, the bZx incident brought decentralized oracles and DeFi insurance into people's sight again. After this incident, bZx plans to cooperate with Chainlink, a decentralized oracle machine project, to prevent price manipulation. In addition to Chainlink, other decentralized oracles will also have demand, after all, the risk of a single oracle is relatively high. Currently, Tellor, Dos, Band, Nest and others are exploring the direction of decentralized oracles. Regarding the related content of the decentralized oracle, you can refer to the previous articles "ChainLink, the connection between the oracle and the two worlds," and "A text that reads Tellor: What is the difference between PoW oracles? ".

DeFi insurance is also increasingly important. In view of the potential security risks of DeFi, DeFi insurance can dispel many user concerns. DeFi insurance programs such as Nexus Mutual and Opyn have begun to provide insurance services for users. According to Nexus Mutual's disclosure, currently a total of 6 bZx users have purchased insurance on Nexus Mutual with a total value of $ 87,000 (most of them are two users, one for 50,000 Dai and one for 30,000 Dai) , If there is a loss can be claimed. In addition, Opyn has also begun to provide insurance services for users' pledged assets on Compound.

With the increase in the amount of locked-in funds in the DeFi field, the demand for decentralized oracles and DeFi insurance will increase accordingly. —— Risk Warning: All articles of Blue Fox Note cannot be used as investment advice or recommendations. Investment is risky. Investment should consider personal risk tolerance. It is recommended to conduct in-depth inspection of the project and make good investment decisions.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!