DeFi protocols are swelling, with more funds than ever locked in smart contracts. But two recent exploits have highlighted their vulnerabilities—leading critics to suggest they are not as decentralized as they might appear to be.
bZx, the seventh-largest DeFi protocol with over $18 million worth of funds locked, has lost $350,000 and $645,000 worth of Ether in two separate exploits over the last few days.
The perpetrators, who can be seen as either legitimate arbitrageurs or malicious hackers, depending on your perspective, used ‘flash loans’ to borrow funds which were then funneled through a sophisticated route of different protocols and traded in such a way that bZx was left short of funds, forcing the supposedly decentralized protocol to use an admin key reset to redeem lost funds.
2 hacks in 5 days
As former Google engineer Korantin Auguste explained in a blog post, both attacks exploited
the ‘flash loans’ that are offered by several DeFi lending protocols.
These loans allow traders to borrow huge amounts of liquidity for a single transaction, without having to put up collateral — allowing traders to quickly capitalize on price differences.
The first flash loan exploit was carried out on Valentine’s day during the ETHDenver conference and involved a complex series of transactions on BzX’s lending platform Fulcrum.
As the official post-mortem blog describes, the attacker opened a flash loan from dYdX for 10,000 ETH, and then split the funds, funneling them through different protocols and trading them against each other to make a profit of 1193 ETH, currently worth around $298k.
The second exploit, which took place on Tuesday, also used a flash loan to open an under-collateralized position on bZx, but followed a different method. This resulted in an estimated loss of 2,388 Ether ($645k).
DeFi Vs CeFi
The exploit itself, and bZx’s decision to quickly shut down Fulcrum using a distinctly non-decentralized master key, have both attracted criticism.
Litecoin creator Charlie Lee called DeFi a "decentralization theatre" that represents “the worst of both worlds” — worse than centralized platforms because they are less secure, and yet still vulnerable to being shut down by a centralized party.
Others, including investor Ari David Paul, suggest the incident is just a speed hump on the road to a mature DeFi ecosystem, and that exposing vulnerabilities at such an early stage is healthy in the long-term. "The more of this that happens, the sooner the better. We want the bug bounties claimed before DeFi poses a systemic risk," tweeted Paul.