- The company behind the Ethereum-based decentralized credit protocol bZx draws its lessons from the million dollar hack.
- bZx will increase its insurance fund with revenue from Kyber and integrate Chainlink’s oracle technology.
The hack of the decentralized credit protocol bZx has shocked the DeFi and Ethereum community. The bZx co-founder has now published a final statement on the matter and stated that the seventh largest decentralized financial platform is planning a new beginning. In a recent blog post entitled “Mea Culpa”: A New Beginning“, Kistner writes that he takes full responsibility for the vulnerability.
In February, the DeFi platform fell victim to two hacks in quick succession. The first hack was described by the crypto community as very sophisticated and at the same time questioned the security of the DeFi ecosystem. The hacker was able to steal over a million US dollars in Ethereum (ETH) by using “flash loans” on the Fulcrum platform, including Compound, another popular DeFi platform. In the final report, Kistner describes the approach of the first hacker:
The attacker borrowed 7,500 ETH on iETH using the flashBorrowToken() function. He then converted 900 ETH for 155,994 sUSD on Kyber and then converted 3,518 ETH for 943,837 sUSD with Synthetix’ exchangeEtherForSynths(), at a price of 0.0037 sUSD/ETH (healthy rate). Next, the attacker borrowed 6,796 ETH on bZx and sent 1,099,841 sUSD, at a price of 0.006 sUSD/ETH (distorted rate). The attacker then remitted 7,500 ETH back to bZx to repay the credit, yielding a profit of 2,378 ETH
Kistner further claims in the blog post that although funds have been lost, the users’ money is still safe:
Funds have been lost, and yet we claim that user funds are safe. This is possible because the company and the protocol stakeholders are absorbing the losses instead of the users. The cash flows of the company and the protocol are being directed to the insurance fund, where they will wait until the debt is due. Given the current value of the insurance fund and its annualized rate of growth, it should be more than able to cover the loss at the time it needs to be realized in the year 2285 AD.
In addition, according to Kistner, changes will be made to the protocol, allowing the insurance fund to cover the losses more quickly:
We will be making changes to the way the insurance fund accrues value in order to expedite its ability to cover the loss as soon as possible. Conservatively, we will be able to increase the proportion of value capture by more than an order of magnitude. […] We will be introducing two additional streams of revenue: trading revenue and arbitrage. The company currently earns substantial revenue in its capacity as a Kyber affiliate.
The company currently generates income in its capacity as a subsidiary of the Kyber Exchange. These revenues will be transferred away from the company and into the insurance fund.
Lessons from the bZx Hack
As Kistner continues, there are some lessons that the company has learned. First and foremost, according to Kistner, it was negligent to silently insert the flash loans into the mainnet without auditing.
The willingness to publish unchecked code is a renunciation of the trust placed in us to write secure financial software.
Last Updated on 12 March, 2020
bZx will increase its insurance fund with revenue from Kyber and […]