Modefi
  • Introduction
  • Oracle Solutions Suite
    • Decentralized Aggregated Oracle
    • On-Demand Oracle
      • On-Demand Oracle - Technical Manual v0.1
        • The On-Demand Oracle System
        • Types of Users
          • Data Request Creators
            • Requesting Data
            • Setting Times
            • Cancelling Data Requests
            • Disputing Results
          • Validators
            • Account Management
            • Staking (and Unstaking)
            • Providing/Endorsing Data
            • Disputing Results
            • Receiving Payment
          • ODO Custodian
        • Algorithms
          • Computing Request Costs
          • Depositing and Withdrawing Coins
          • Staking to Endorse Data
          • User and Staking Slot Tiers
          • Timing/Lateness
          • Bumping
          • Withdrawing
          • Endorsing
          • Payment
          • Slashing
          • Reputation
          • Staking Bonuses
          • Disputes and Resolutions
          • Coin Credits
          • Account Transfer
      • On-Demand Oracle - High-Level Overview
    • Oracle Marketplace
  • Defi Dashboard
    • What is the Modefi DeFi Dashboard?
  • Token
    • Tokenomics
      • Token Distribution
      • Token Stats
      • Token Emission Schedule
    • Token Sale
    • Token Utility
  • General Information
    • History of Oracle Based Hacks / Exploits
      • Synthetix $1 Billion Exploit
      • Trader Exploits bZx Oracle for $330,000 Profit
      • $100 M Liquidated on Compound Following Oracle Exploit
  • Blockchain Basics
    • What is a Smart Contract?
    • What is an Oracle?
  • FAQ
    • Staking on Fantom
    • Staking on Binance Smart Chain
  • How-to's
  • Smart Contract Addresses
  • Links and Socials
  • Media Kit
  • Disclaimer
  • Terms and Conditions
  • Privacy Policy
Powered by GitBook
On this page
  • Clever trader cracks DeFi.
  • Breaking Down the Trade
  • Oracle Deficiencies Come to Light
  1. General Information
  2. History of Oracle Based Hacks / Exploits

Trader Exploits bZx Oracle for $330,000 Profit

Feb 15th 2020

PreviousSynthetix $1 Billion ExploitNext$100 M Liquidated on Compound Following Oracle Exploit

Last updated 4 years ago

Clever trader cracks DeFi.

A took full advantage of ’s use of a price oracle by crashing the price of wBTC after opening a 5,000 ETH wBTC short on the platform.

Breaking Down the Trade

What started as just another day in has ended in an episode of drama and reflection. A trader used the functionality to profit off bZx’s use of a price oracle.

bZx uses oracles for pricing its internal products. This particular trader took a 10,000 wETH flash loan from dYdX and split the corpus into two: one half was deposited into and the other half into bZx’s protocol.

The Compound portion of the deposit was used as collateral to borrow 112 wBTC and the 5,000 wETH deposited into Fulcrum was a long position perpetual swap on sETH/wBTC, as per the transaction details from .

112 wBTC was then dumped into Uniswap. This caused a major decrease in Uniswap’s wBTC price as this for 14.6% of the total supply for wBTC. As a result, this trader pocketed just over $1 million in revenue as the sETH/wBTC price went up due to bZx’s reliance on Uniswap for prices.

wBTC was likely chosen by the trade because of its low supply and liquidity in the market. This translated to a steeper decline in price.

This trader was left with close to $690,000 worth of debt, and after paying off the 10,000 wETH loan, they walked away with close to $330,000.

Even after being hit with massive slippage from the sale of a chunk of wBTC, the trader still came out of the trade victorious. Net profit for Uniswap liquidity providers fell as a result of this, and this was the highest volume day for ’s wBTC market since the ’s inception.Source:

Oracle Deficiencies Come to Light

The DeFi community has constantly discussed the possibility of using Uniswap as a resilient, permissionless price oracle for protocols and dApps. However, the risk of using a single source of truth for a protocol opens it up to incidents like this, where oracles are exploited for profit.

, for example, the price of an asset from multiple sources. If bZx had used ChainLink, Uniswap’s wBTC price would’ve accounted for just a portion of the total price. Other sources such as , , , and Bitfinex would also have been used.

To conduct a similar attack on a network that uses multiple price inputs, one would have to force the price of an asset down across the various exchanges from which price inputs are taken.

It’s important to note that this wasn’t a hack or unethical move of any sort. The trader simply found an exploit and gamed the bZx protocol. Decentralized systems need to be robust on their own, without human intervention.

Earlier, Crypto Briefing claimed the reason the trader used Uniswap was that bZx used Uniswap as a price oracle for the protocol. The bZx team has since refuted these comments, with co-founder Kyle Kistner stating “we can mostly say what didn’t happen more than what did at this point.”

People in the DeFi community still speculate that there is a connection between bZx and Uniswap that explains the scenario. bZx claims the trader exploited a comprehensive vulnerability in the smart contract and an upgrade has already been deployed to curb this from happening in the future. The project has additionally stated that they use Kyber as a price oracle and query the bid and ask components of orders.

Oracles are a piece of infrastructure for permissionless systems. Protocols like ChainLink help streamline this process and ensure price manipulation on one platform does not meaningfully affect the end result for their clients.

Incidents like this will only push DeFi protocols to implement better standards. This one event will go a long way in improving the overall

Original source of article -

critical
robustness of DeFi.
https://cryptobriefing.com/trader-exploits-bzx-oracle-330000-profit/
trader
bZx
DeFi
flash loans
Compound
Fulcrum
EtherScan
accounts
Uniswap
DEX
ZumZoom
ChainLink
draws
Kyber
Switcheo
IDEX