From this morning’s daily newsletter – subscribe above
One of the more obvious predictions I made in my 2020 theses was that you’d see more big blow-ups in DeFi applications. Perhaps there will even be an event that proves to be a borderline existential crisis for DeFi…some attack on a major protocol that resets expectations surrounding the sector much like “The DAO” reset expectations around the viability of smart contract-powered funding pools back in 2016.
The most recent exploit comes from DeFi upstart bZx, which has now been hit not once, but twice in separate attacks (arbitrage plays?) that feed off of DeFi’s illiquidity and immature oracle infrastructure.
The Ethereum-based lending and trading platform had been rocketing up the DeFi Pulse rankings for the past several weeks until this weekend, when a hacker was able to make $300k in profits from a design vulnerability.
It seems the bZx hacker cleverly highlighted the limitations of building high stakes applications today using “money legos.” The number of protocols employed to pull off the hack makes this almost feels performative.
As the bZx team explained:
1) The attacker borrowed 10,000 ETH in a flash loan from margin trading protocol dYdX (#6 on DeFi Pulse)
2) He then sent 5500 ETH to money market protocol Compound (#2) to collateralize a loan of 112 wrapped BTC, a synthetic ERC-20 token backed 1:1 by bitcoin (wBTC #11)
3) He then sent 1300 ETH to bZx Fulcrum’s (#13) “pToken sETHBTC5x”, a contract that opened a 5x short position against the ETH:wBTC ratio.
4) 5637 ETH was then automatically borrowed and swapped to 51 WBTC through decentralized exchange protocol Kyber’s (#13) reserve on automated market maker Uniswap (#5); the large slippage was possible because of the reserve’s illiquidity
5) The attacker swapped 112 wBTC borrowed from Compound to 6871 ETH on Uniswap,