What the bZx flash loan exploit says about the future of DeFi

 Simon Taylor photo
Simon Taylor Co-founder 11:FS & CPO 11:FS Foundry
5min read

TL;DR: someone (we don’t know who), managed to make off with over $350,000 with a loan that in essence cost them no more than $8.71 in the murky but oh so interesting world of decentralised finance (or DeFi for short).

The bZx scandal is now a few weeks old, but the alarm bells are still sounding. “Are the bZx flash loan attacks signalling the end of DeFi?” asks one Cointelegraph headline. Cryptopolitan, meanwhile, is proclaiming that the incidents “have tarnished the DeFi we all knew”.

Basically, people are losing their sh*t.

Why is this important? In a nutshell, this story has everything:

  • Something called a flash loan, which is getting a lot of blame (but probably isn’t at fault) and is a super interesting concept in its own right
  • Market manipulation
  • The big question: how decentralised is something if the developers can pull the plug?
  • And a dollop of crypto-Twitter watching along at home.

OK, so let’s step back...

What’s DeFi?

Think of DeFi like P2P lending without the middleman. In P2P lending, lenders (let’s say you) take some of your cash (let’s say you hold Ethereum in this case) and lend it to an exchange.

Unlike most exchanges, this one only really exists as software. There is no legal entity or company. Still, it lends funds to a borrower, the borrower pays a fee – just like you would if you were borrowing from a regular bank – and then the lender (saver) is paid some of that as interest.

Good so far? Fantastic! Let’s move on…

What is bZx?

bZx is the token project behind Fulcrum.trade (and many others). Fulcrum in particular is a platform that allows you to trade on margin – that is, to borrow money to make a trade. This will be familiar to many bankers.

The major difference in DeFi is that whilst the protocol can increase or decrease your balance based on your trades, no middleman or centralised exchange ever holds the keys to your wallet. In other words, you’re in direct custody of your assets at all time.

News outlets were quick to call the incidents a 'hack,' but that isn’t quite accurate

This can be attractive because you can effectively “be your own bank” by lending and trading the asset in the market whilst still retaining control of that asset. To think about it another way, this would be like if you made interest on the money sitting in your wallet or purse. It’s still yours, albeit there is risk of the value going up or down.

What is a flash loan?

In British slang, it sounds like “really fancy, well dressed loan”. In reality it’s as simple as a loan that is borrowed and paid back all in one transaction.

If that breaks your brain, bear with me here. In the world of Ethereum and decentralised finance, you can build multiple trades into a single transaction. So I could borrow $100, trade it across three different exchanges and potentially collect a profit before paying back the loan. All in a single transaction!

So what happened with bZx?

On the 14th Feb, an anonymous individual “flash loaned” ETH10,000, or about $2 million. Then, the “attacker” spread that money across two exchanges, taking a long (buy) position on both Compound and bZx.

Next, they shorted (bet against) wrapped bitcoin on bZx before buying $1.1 million-worth of the crypto on Compound and selling it on another exchange. This drove the price of the wrapped bitcoin down, paying off the short to the tune of $350,000.

The attack sent the bZx team scrambling. They were in the middle of an Ethereum hackathon in Denver when the news broke, and they immediately stepped in to intervene. They essentially pulled the plug on the protocol and exchange to limit the damage. After they spent a significant amount of time re-assuring the community and facing serious questions, things appeared to be returning to normal.

Instead of doing any actual hacking, the perpetrators just used an exploit to manipulate the market.

And then it happened again.

On the 18th of February, a second attack occurred, involving a swap of ethereum for a USD-pegged stablecoin called Synthetix USD (sUSD). The transaction inflated the value of sUSD, allowing the attacker to buy more Ethereum, pay off the loan and walk away with about ETH2,378.

How it all went down

News outlets were quick to call the incidents a “hack,” but that isn’t quite accurate. To carry out the exploits, the attacker used flash loans to send big orders to three exchanges, and only one had enough liquidity to cover the loans. This created huge moves in the price of both the short-wrapped bitcoin and the sUSDs.

[DeFi and crypto] are systems built from programmable transactions with little to no governance

In a technical sense, nothing went wrong: the flash loans worked the way they were supposed to, but the people who developed the system didn’t realise it. Instead of doing any actual hacking, the perpetrators just used an exploit to manipulate the market.

In any other environment, this move would still be highly illegal. Really, the perpetrators didn’t just exploit the rules of bZx. They exploited the philosophy of DeFi itself.

What does this say about DeFi?

When bZx found out about the exploit, it immediately hit the Big Red Button and paused trading and borrowing on the protocol.

But even this level of human intervention can be unpopular in the world of DeFi and crypto. These are systems built from programmable transactions with little to no governance.

The LSE’s Michael Coletta made an interesting point about this when we discussed the story on Blockchain Insider. While DeFi lets us experiment with markets in new ways, it often teaches us the same lessons that traditional financial institutions learned in the 1930s.

Ultimately, transactions like flash loans are just tech upgrades – they aren’t going to change the fundamental human behaviours that fair and stable markets guard against. Without some form of human governance, users are bound to pull off more exploits like these.

Which puts companies like bZx in a tough position. Introduce a degree of regulation and you risk taking the “decentralised” out of “decentralised finance”. Keep things loosey goosey and you risk more exploits that steadily chip away at user trust. It’s a conflict that has always been at the heart of DeFi: it just took a bit of manipulation to bring it to the forefront.

Want to learn more about the wide world of DeFi? Subscribe to the Blockchain Insider podcast. We deliver the latest news from industry experts so you can keep up with all things crypto.