We Play Coins

$298250 made in Sophisticated Crypto Attack: bZx exchange

$298250 made in Sophisticated Crypto Attack: bZx exchange
By We Play Coins
Added on Feb 18, 2020

$298250 made in Sophisticated Crypto Attack according to a report by bZx. bZx was the crypto exchange that was the target of a sophisticated attack with the attackers making a profit of almost $ 300,000.

The Attack

  • A flash loan from dYdX for 10,000 ETH was opened.
  • 5500 ETH was sent to Compound to collateralize a loan of 112 wBTC.
  • 1300 ETH was sent to the Fulcrum pToken sETHBTC5x, opening a 5x short position against the ETHBTC ratio.
  • 5637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap reserve, causing large slippage.
  • The attacker swapped the 112 wBTC borrowed from Compound to 6871 ETH on Uniswap, resulting in a profit.
  • The flash loan of 10,000 ETH from dYdX was paid back from the proceeds.

The total profit from this sequence of events was 1193 ETH, currently worth $298,250 @ $250/ETH. For a complete call-by-call analysis of the attack, it is recommended that you read the latest Peckshield analysis.

The Impact

This has resulted in an undercollateralized loan on the platform. Note that this is not yet a loss, but has the potential to become a loss. This is not semantics, and it’s critical to understanding our options going forward. According to our calculations, the collateral currently residing in our vault is enough to service interest payments at market rates on the loan for hundreds of years if nothing is done. However, there is an element of volatility risk since the collateral is in wBTC, the interest is denominated in ETH, and interest is only converted into ETH every 28 days. If we assume a borrow rate of .2% APY (supply rates on other lending protocols are around .02 – .05%) then it requires 9.396 ETH per year to service the debt.

The wBTC can currently be converted to 1902.26 ETH at current prices at the time of writing. This means that the debt can be serviced with the current collateral for the next 202 years. When the collateral runs out in the year 2222, there will be a 4698.02 ETH loss that will be socialized across the entire lending pool. If we used the administrator key to liquidate the wBTC into ETH, we could eliminate the impact of market volatility and guarantee that the debt would settle on this date. For even the most reasonably conservative discount rates, the net present value of this negative cash flow approaches zero.

Lastly, by only realizing the debt far off into the future, we give time for the insurance fund of the protocol, which was designed to prevent lender losses, to get large enough to comfortably cover the costs.

Conclusion from the report

The core of the debate here is whether we should be ruled by machines or by economics. When you have an immutable contract that can’t be upgraded, you are ruled by machines. When the power to exist is distributed among representative stakeholders, you are ruled by economics. Both are valid methods of implementing decentralization. Unfortunately, many commentators have exhibited some degree of confusion, seeming to believe that upgradability precludes decentralization.