Editor's Note: This article comes fromFirst class warehouse blockchain research institute (ID: first_vip1), reprinted by Odaily with authorization.
Editor's Note: This article comes from
First class warehouse blockchain research institute (ID: first_vip1)
, reprinted by Odaily with authorization.
Arbs used DeFi to earn $900,000 in just a few seconds. As soon as the incident appeared, it was thought-provoking.
Last weekend, the bZx attack occurred in the United States, which dealt a heavy blow to decentralized finance (DeFi).
DeFi fans, today's focus is on the bZx attack, which is also the first major attack on DeFi. Why is the double quotation mark "" added to this attack? Why Are Users Questioning Whether DeFi Is Decentralized Enough? There are many issues that need to be explored, such as the potential loopholes of the price oracle machine.
secondary title
DeFi strengthens the financial system, but it also intensifies financial attacks.
Simplifying this event, the trader used flash loans without providing guarantees, using part of the loan to open short or long positions on a certain token, and the other part of the loan to buy cryptocurrency in a low-liquidity market, pushing up the price of cryptocurrency , so as to obtain short or long profits.
secondary title
image description
(first attack)
image description
secondary title
Building has two sides
There are a few things worth noting about these attacks. First, the attack underscores the sheer power of composable financial products, known as “money builds.” Traders were able to successfully exploit these vulnerabilities because the system was so seamlessly interconnected.
A loan from a lending platform is used to open 5 times short on another trading platform. One exchange gets liquidity from a second exchange. Prices on one exchange affect contracts on a second exchange. This close connection can create faster, cheaper, and more innovative financial products. But the added complexity also leads to potential attacks, making the system vulnerable. There will be a learning curve for builders defending systems and blocking attacks.
secondary title
Shirk responsibility
In the first attack, there was a code loophole in bZx, which caused the hacker to open a 5 times short position and successfully traded under the condition of a large amount of burden. The system was supposed to ban transactions, but due to a bug in the code, it didn't.
bZx uses the market price of Kyber Network, a decentralized exchange. Many, including Uniswap founder Hayden Adams, pointed out in an interview that taking current market prices, rather than solutions like time-weighted average prices, is risky.
Although bZx co-founders Kyle Kistner and Tom Bean said in an interview that in the first attack, the price of the system did not make a difference. But a tweet on the bZx account said the oracle was manipulated to lead to a second attack. The founders then decided to use the ChainLin oracle as a supplement to Kyber's price. Vitalik Buterin, founder of Ethereum, said on Twitter that version 2 of Uniswap will prevent such attacks.
While there is nothing wrong with blaming the attackers, people are divided even between blaming and not blaming. One view is that the attackers simply know how to use DeFi Lego funds correctly, and arbitrage is rewarded handsomely. Another view is that this is actually an attack in which traders abused the protocol by exploiting vulnerabilities in the bZx system.
secondary title
emergency procedures
The bZx team found a way to immediately "disable" certain functions on the protocol, reducing the damage caused by the two attacks. Even the system design stipulates that changing the state can only be done after a 12-hour buffer, which is to alert users when the administrator maliciously manipulates the protocol.
In order to prevent any actual loss after the first attack, bZx will continue to service the defaulted loan using the collateral left by the attacker in the protocol, which, according to bZx's assumption, can pay interest for more than 200 years. In most cases, as the loan is overcollateralized, the collateral is liquidated and the system recognizes the loss, blocking the lender from the agreement. In this attack, the collateral was not liquidated thanks to safeguards in place (allowing managers to intervene in the special case of 'a margin call would drain the entire system's insurance fund').
The bZx team said in a report last night: “According to the provisions of the agreement, since the attacker’s liabilities exceed the assets, regardless of moral considerations, the attacker’s funds can be fairly confiscated.”
bZx pointed out that although they found a way to suspend transactions and decided to confiscate the attacker’s collateral, it was in the interests of users. The team believes that decentralized governance systems such as DAOs will make the same decisions.
secondary title
About "De (decentralization)" in DeFi
Critics point out that DeFi platforms can be deactivated by management teams at will, and that they are not decentralized systems at all. Charlie Lee, the founder of Litecoin, believes: "Most DeFi can be shut down by a centralized management agency, so DeFi is just a decentralized theater."
secondary title
So, is DeFi fully decentralized today?
