bZx Fulcrum Attack and Insurance Test Case— why DeFi being tested.
bZx currently ranks #8th on DeFi Pulse in terms of TVL directly following the attack, aggregating a total of $13.3M in value.
bZx Fulcrum’s money market protocol suffered a serious and complicated attack in the past 24 hours, resulting in a significant loss of funds to ETH depositors. The attacker launched a series of transactions across multiple protocols, including Compound, dYdX and Uniswap to gain over $350k USD in profit as the expense of bZx Fulcrum’s ETH pool.
bZx Fulcrum’s executive have made a decision to pause the network while they work out the way in which the attack was mounted, needing to account for losses and architect a fix for the protocol.
Initial reactions were that BZX’s use of Uniswap Oracles could be the reason for the exploitation, or some kind of vulnerability in the smart contract, but as information emerges, the BZX’ team have stated that they use Kyber for Price Oracles. It does point to Oracles developed by the like of Chainlink, which deters price manipulation versus the risk of more centralisation.
Insurance in DeFi has been a growing topic within the community, and it is now being tested very early on for companies developing insurance systems. Nexus Mutual is one of those companies, which has an insurance pool active on Fulcrum. Interestingly, a vote is taking place among its users as to whether or not claims should be paid out for the Fulcrum attack.
Anxieties around the centralized nature of assessment of claims have been raised in the DeFi community. As a test-case, the nexus mutual response is very interesting, pointing to leaving full discretion to stake-holders in the Mutual, as Founder and CEO, Hugh Karp, stated in Nexus Mutual’s discord that his independent view based on the information at is that “it appears as though this is price oracle manipulation and the smart contracts have acted as intended, this would indicate the claim should be declined, however members have full discretion to pay (or decline) claims as they wish”. Furthermore adding that “it could be argued there is wider value to the mutual by accepting this claim, because: it proves the mutual can pay claims, and therefore more cover purchases are likely to be encouraged”.
While information in full has not yet been published by BZX, this is a great test-case for the DeFi community in building trust and showing the need for more decentralised financial applications in the ecosystem.
While users have discussions within the Mutual on whether to accept the claims based on the greater good and value to the DeFi ecosystem, or to specifically deny claims due to this not being a technical smart contract issue, elements of the ever important consensus-decision making process are evidently at play.
A closer look at the Attack — Market Action/Manipulation or SC Attack?
According to twitter user @dsearch3r /1 What the attacker did:
1.The TX used flashloan from dydx to get 10.000 ETH
2.He put 50% on compound and 50% on bZx(fulcrum uses bZx protocol)
3.He borrowed 112 WBTC(analog of BTC on ERC20) from compound
4.He shorted WBTC on bZw with on bZx with half~ half of the 10.000 ETH
5. He throwed 112 WBTC to uniswap probably to push down the price
6.profit from short
7. Paid back 10.000 ETH to dydx from Flashloan
8. Original contract have 1 million eth in compound and 650k debt in WBTC, so he (will) have like ~350k profit.
Concerns raised by think-tanks at the beginning of 2020 placing predictions across the blockchain space stated that DeFi would be under threat of a major attack. What’s clear is that lines are being drawn up as the 1$ Billion USD locked into DeFi lures and incentives more malicious actors to attack the ecosystem.
But, how do we as a community assess a hack? Smart contracts and audits are a regular scenario now, audits are carried out by the likes of serious security experts and to some degree have stood the “test of time “— an important parameter.
However, with static objects such as smart contracts, which have economic and market dynamics, can a clever malicious actor slowly work out and execute a multifaceted action against the market in order to achieve monetary gain? Are we entering the next generation of ‘vulnerability’ whereby smart contracts themselves work as intended, yet can still be manipulated at the extremes?
It raises important questions regarding the equilibrium between decentralised and centralised components in DeFi. Admin keys being used to pause contracts and the fact that compound could technically confiscate funds from the attacker (which is where the attackers gains are now sitting) could take place, but this would take place at the cost of destructing trust within DeFi, the coming days and weeks will hold important discussions for DeFi and the tensions between control and freedom.
Numerous security experts and auditing companies have stepped forward to help Fulcrum with architecturing a fix. Furthermore, the Fulcrum announced that it would come up with a comprehensive plan to compensate lenders. Other leading protocol team’s will undoubtedly be studying the attack, drawing up actions which may need to be taken to protect other protocols from being used in such a way.
As the situation is still being assessed, it’s not clear whether or not it was simply a complicated market action which lead to the protocols being exploited, or a flaw within the architecture of Fulcrum and Smart Contracts, nevertheless, DeFi is being tested and it’s up to the innovators in the space to learn from the lessons and mistakes made.
Arnie Hill, Founder of Plutus DeFI