DENVER – Decentralized finance (DeFi) venture bZx has endured an assault in which a programmer effectively gamed different DeFi protocols to extricate $350,000 from the platform.

Accordingly, the organization brought down its loaning and exchanging convention Fulcrum at 7:00 UTC. The organization was exhibiting at ETHDenver during the hack. The programmers exploited the organization’s estimating prophet to fool the convention into surrendering the money. bZx relied upon just a single prophet for evaluating, as indicated by sources.

The firm, which presently can’t seem to return at EthDenver, later affirmed in a tweet it will remunerate loan specialists for potential misfortunes.

The attack could be symptomatic of a continuing issue in DeFi, said Chainlink CEO Sergey Nazarov at the event: how to source price information.

The attack was even more notable because of its timing as the team had to deal with the hack during the ethereum community’s EthDenver hackathon, which largely focuses on DeFi.

bZx stickers at ETHDenver. (Photo by John Biggs for CoinDesk)

Nazarov said that sourcing price data from one oracle – services that collect and issue on-chain price information – remains problematic and one DeFi teams are still working out, although its relation to this issue has yet to be firmly established, he added.

“You can’t rely on [only] one oracle connected with an exchange API,” Nazarov said.

Staked CEO Tim Ogilvie, which operates a working relationship with bZx, said the loss amounts to an expensive bug bounty and highlights the novelty of flash loans, a new DeFi feature which allows traders to borrow and return funds in short windows the hacker leveraged for the attack.

According to Ogilvie, the attacker borrowed 10,000 ETH, worth approximately $2.67 million, in a flash loan.

The attacker then split the borrowed funds, sending 5,000 ETH to DeFi protocol Compound and the other half to bZx. After the deposits, the attacker shorted wrapped bitcoin (WBTC) on bZx quickly followed by borrowing 112 WBTC on Compound, worth about $1.1 million, and selling the borrowed WBTC on UniSwap, another DeFi market, said Ogilvie.

Ogilvie said, which the firm denied on Twitter, that bZx uses UniSwap’s price feed for WBTC. When the attacker dropped the $1.1 million worth of WBTC on UniSwap, their bZx short became extremely profitable, said Ogilvie.

“The question for DeFi is what’s safe? How do you create a safe and secure set of [price] oracles that actually do things? People use different approaches and you can choose the wrong way,” Ogilvie said.

“There are big risks. It’s a new category, it’s moving fast and that means some things are going to break,” Ogilvie said.

Total value locked in bZx. (Image via DeFi Pulse)

The eighth-largest DeFi market according to DeFi Pulse, 16 percent of funds locked in bZx have been withdrawn from the protocol in the past 24 hours.

Leave a Reply

Your email address will not be published. Required fields are marked *