ETHDenver Report + bZx platform exploit

What everyone was talking about in Denver

Note: I attended ETH Denver hackathon this past weekend. Below are some highlights of the projects and the presentations, but first what everyone was talking about – the bZx trade exploit.

Trader exploits bZx platform

In its just released post-mortem, bZx sums up the attack/hack/exploit as such:

The attack was launched on Valentine’s day, a Friday Night, and during ETHDenver when the team was out. We immediately returned home from the tBTC happy hour.

We returned home and analyzed the transactions. The series of transactions were extremely complex and did not yield to a straightforward chain analysis.

We made the determination that the attack could continue, that lender funds were at risk, and that we needed to take steps to disable the attack.

bZx links to this post from Blockchain security firm, Peckshield, for a detailed run down of the attack. It comes with this nice graphic:

There has been an awful lot written on this and I’m sure there will be more, but three thoughts from me:

1. Trusted brands matter, even in DeFi. the frenzy and confusion after bZx shut down it’s website Saturday morning was no different than past centralized exchange hacks. The loss is small enough for bZx (or its future token holders) to make lenders whole, but users will hold bZx to the same standard as Binance, who experienced a $45m hack last year. DeFi protocols are permissionless, but if the companies that build them want to attract assets, they’ll need to convince users to trust them – decentralized or not. Governance and insurance will be important to any solution.

2. A new DeFi Legal Precedent? The trading activity is likely illegal under market manipulation rules in the U.S, but I can’t imagine bZx suing the alleged attacker. Still, exchanges (and Chainalysis) will soon have a decision to make and this trade activity will surely get the attention of regulators. There likely won’t be any legal repercussions this, but it will be an example used by investors when discussing risk and compliance for DeFi projects.

3. Flash Loans, Wow. Arbitrage opportunities used to require sophistication and capital, but in DeFi, only sophistication is needed. As smart contract audits have become routine, so too will economic and blockchain simulation, like what Gauntlet did for Compound last month.

Perhaps the biggest takeaway is the additional eyeballs. bZx has gotten more than 1,000 new Twitter and Telegram followers as a consolation, and much of Crypto Twitter is fascinated with the attack, realizing the potential and possibilities of DeFi.

There’s so much out there on this, but a couple recommendations:

• Step-by-step breakdown of the attack

• bZx Hack Full Disclosure (With Detailed Profit Analysis) - PeckShield

• Taking undercollateralized loans for fun and for profit (SamczSun’s post last fall)

• How Decentralised is bZx? Some alarming conclusions about a protocol that has over $15m USD locked up

• Former Google engineer explains how an attacker made $350K in single transaction

ETHDenver Presentations & Panel Discussions

• Mariano Conti (Maker) – Mariano focused on developments in Maker’s Governance Security Module (GSM). The GSM is how Maker would update the system in the event of an emergency system. The “Dark Fix” would institute a 24 hour delay and show the fix only to large MKR holders. Mariano also highlighted initiatives to increase voter participation. He said anyone could delegate votes to a particular smart contract, while still maintaining custody, which could create proxy advisors that vote on behalf of MKR holders.

• Dan Elitzer (IDEO Co Lab Ventures) – Dan explored the implications of liquidity pools like Uniswap, Compound and Balancer. He described the “Ultimate Superfluid Protocol” where you can:

  • Deposit any asset, in any proportion

  • Deposit any asset, in any proportion

  • Automatically get rebalanced as prices shift

  • Automatically earn trading fees via AMM

  • Automatically earn interest on loans of your assets, over-collateralized by other asset types you’ve deposited

  • Automatically regain your financial privacy

• Various others:

  • Nate Hindman (Bancor) – Bancor is exploring how to connect their liquidity pools to Compound or the DSR and researching pools with 3+ assets. “Aggregated liquidity is a race to the bottom. Proprietary liqduidity is a race to the top”

  • Felix Feng (Set) – TVL is good for Set but other DeFi protocols should look to other metrics. Felix said that after the bZx exploit, projects need to worry about a smart contract audit and an economic incentive analysis.

  • Noah Zinsmeister (Uniswap) – Team is working hard on Layer 2 and trying to balance competing interests from liquidity providers, traders and arbitrage bots. On DeFi, “Things bubble up immediately, rather than sitting under the surface and crashing like 2008”

ETHDenver Hackathon Projects

A full list of all projects and the winners is available here. Below are a couple highlights

• UpsideDai – 20x leverage on the price of Dai

  • 2 token model to allow users to hedge their Dai exposure or bet on Dai price

  • Decentralized oracle that leverages Uniswap and Maker Medianizer

• OhMyDeFi – decentralized options platform

  • Starting with call & put options on the Dai/ETH price, by combining both call & puts, they can offer hedging for price of ETH

  • Like other insurance/options problem, needs to get parties to agree on same maturation date

• MakerDAO BTC Vault – The Ren Protocol team built a Maker integration on Kovan testnet where zBTC, Ren’s trustless version of BTC, is accepted as collateral in MakerDAO Vaults to mint Dai.

• Ethsplainer – breaks down Ethereum transaction data, explaining what the string of characters refer back to.

• Outfront – Prevents malicious transactions by ‘catching’ the tx in the tx pool and paying a higher gas amount to stop the transaction.

Odds and Ends

• mStable aims to be stablecoin of stablecoins Link

• tBTC released on Ropstein test network Link

• Huobi launches ERC20 version of Bitcoin to compete with WBTC & imBTC Link

• Skale is first project on Consensys’s token issuance platform Activate Link

• MetaCartel Venture DAO launches on main net Link

• Kyber does more than $10m in one day volume Link

Thoughts and Prognostications

• DAO-ifying Uniswap liquidity pools [Sunny Aggarwal]

• The Evolution of DEXes: Permissionless Asset Swapping [Marketpsycles]

• Ethereum Account Abstraction Explained [ETH Gas Station]

That’s it! Feedback appreciated. Just hit reply. Written in Denver and a stopover in Nashville. Snow in Denver, sunshine in Nashville.

Weekly Dose of DeFi is written by Chris Powers. Opinions expressed are my own and do not necessarily reflect the opinions of others. All content is for informational purposes and is not intended as investment advice.