1inch Exchange, the leading DEX aggregator in DeFi, accused bZx of withholding information on a bug that put $2.5 million of user funds at risk. bZx hit back, claiming they patched the bug and were ready to disclose it, only to be slandered.
1inch’s Side of Story
In an unforeseen turn of events, the team behind DeFi’s leading DEX aggregator has disclosed an incident from January 2020, where bZx’s then-recent implementation of flash loans put $2.5 million of funds at risk.
At that time, the 1inch team discovered a bug in a contract recently deployed by bZx. The lending protocol took four hours to remedy the situation, to 1inch’s discontent. Removing the bug was subject to the bZx smart contract’s 12-hour timelock.
After Crypto Briefing reached out to 1inch Exchange, co-founder Anton Bukov made the following comment:
“We were very concerned about the hole in their mainnet which existed for 16 hours, it’s terrible to hear for every user. We still don’t know if they had a kill-switch or not.”
This contract was less than 48 hours old, according to the DEX aggregator, causing them to fear that malicious actors would take advantage of the opportunity and steal user funds.
bZx averted a major crisis, after which they initially refused to pay 1inch a bug bounty for their work.
Both parties finally agreed on terms for a bug bounty after prolonged negotiations. bZx then asked the 1inch team to sign NDAs, which was refused.
After the two recent exploits, the DEX aggregator felt the need to go public with this information.
“They said they [were] going to disclose this in [February], but after 2 more hacks happened in Feb we were sure they wouldn’t,” said Bukov.
bZx Speaks out Against Accusations
1inch Exchange has made their side of the story public, and bZx only recently shared their side of the story with Crypto Briefing.
According to Tom Bean, co-founder of bZx, the bug was disclosed by the DEX aggregator, but bZx was not content with the manner in which said bug was brought to their attention. Rather than informing them in private, bZx claims the DeFi project made the vulnerability public on the Ethereum blockchain.
bZx was left with two decisions: either hack the funds themselves or remove the code and sit on that information, hoping malicious actors wouldn’t catch wind of what was happening.
Bean went on to describe why bZx acted the way they did:
“It was difficult to not immediately pull out the funds to ‘rescue’ them. We had to weigh the further danger this would have caused. If we would have started pulling out people’s funds, a black hat could have as well. Then, integrated projects, like APR rebalancers (RAY and others), would have seen our APR go way up, and would have automatically sent more funds in, then those would have gotten stolen as well.”
He further added:
“It was very difficult (to make) the choices we made. We did what we thought was best at the time to protect user funds.”
Bean also shared a screenshot of the interaction between bZx and 1inch with Crypto Briefing, where the co-founder of 1inch Exchange appears to be pressuring bZx into paying the bug bounty.
“Their choice to release this when we intended to pay them the bounty was malicious,” said Bean. They also claim that they were still willing to pay the bounty after tensions escalated.
Before the first exploit, bZx was planning to announce the flash loan capability at ETHDenver and then disclose the bug in the deprecated code.
Start of DeFi Exploits or One-Off Incident?
bZx is working to allow users with positions on Fulcrum the opportunity to close them in a secure manner. This has rekindled some hope that order will be restored and bZx can take some time to fix the state of their protocol.
Whether they can revive their reputation and earn users’ trust again remains to be seen.
There’s a distinct difference between margin trading with DeFi projects and creating an overcollateralized stablecoin. bZx’s platform has relatively low liquidity relative to lending counterparts like Compound and Maker.
bZx was subject to DeFi’s first “bank run” this week as users pulled funds from the platform. Liquidity reached double-digit figures in dollar terms as lending pool utilization hit 100%. This has driven the interest rate on assets like Ether higher than 40%.
Attacks on bZx in the last week were caused by a flaw in the code and the protocol’s dependency on Kyber as an oracle to arrive at mid-point prices. Kyber has themselves highlighted the major risks posed by using their protocol as a price feed.
Permissionless systems in DeFi can still be considered resilient, especially with Nexus Mutual functioning as intended in the aftermath of the bZx crisis.
Synthetix, which recently deployed its Achernar upgrade, ensured the code being implemented was audited by security firms Sigma Prime and iosiro, too.
Using these platforms requires users to trust a DeFi project’s codebase. This is a significant obstacle for non-technical users, but there are initiatives looking to bridge this information asymmetry.
Nevertheless, anyone thinking of using DeFi projects should become well acquainted with the vulnerabilities of the ecosystem.