Trader Exploits bZx Oracle for $330,000 Profit
Clever trader cracks DeFi.
Share this article
A trader took full advantage of bZx’s use of a price oracle by crashing the price of wBTC after opening a 5,000 ETH wBTC short on the platform.
Breaking Down the Trade
What started as just another day in DeFi has ended in an episode of drama and reflection. A trader used the flash loans functionality to profit off bZx’s use of a price oracle.
bZx uses oracles for pricing its internal products. This particular trader took a 10,000 wETH flash loan from dYdX and split the corpus into two: one half was deposited into Compound and the other half into bZx’s Fulcrum protocol.
The Compound portion of the deposit was used as collateral to borrow 112 wBTC and the 5,000 wETH deposited into Fulcrum was a long position perpetual swap on sETH/wBTC, as per the transaction details from EtherScan.
112 wBTC was then dumped into Uniswap. This caused a major decrease in Uniswap’s wBTC price as this accounts for 14.6% of the total supply for wBTC. As a result, this trader pocketed just over $1 million in revenue as the sETH/wBTC price went up due to bZx’s reliance on Uniswap for prices.
wBTC was likely chosen by the trade because of its low supply and liquidity in the market. This translated to a steeper decline in price.
This trader was left with close to $690,000 worth of debt, and after paying off the 10,000 wETH loan, they walked away with close to $330,000.
Even after being hit with massive slippage from the sale of a chunk of wBTC, the trader still came out of the trade victorious. Net profit for Uniswap liquidity providers fell as a result of this, and this was the highest volume day for Uniswap’s wBTC market since the DEX’s inception.
Oracle Deficiencies Come to Light
The DeFi community has constantly discussed the possibility of using Uniswap as a resilient, permissionless price oracle for protocols and dApps. However, the risk of using a single source of truth for a protocol opens it up to incidents like this, where oracles are exploited for profit.
ChainLink, for example, draws the price of an asset from multiple sources. If bZx had used ChainLink, Uniswap’s wBTC price would’ve accounted for just a portion of the total price. Other sources such as Kyber, Switcheo, IDEX, and Bitfinex would also have been used.
To conduct a similar attack on a network that uses multiple price inputs, one would have to force the price of an asset down across the various exchanges from which price inputs are taken.
Oracles are a critical piece of infrastructure for permissionless systems. Protocols like ChainLink help streamline this process and ensure price manipulation on one platform does not meaningfully affect the end result for their clients.
It’s important to note that this wasn’t a hack or unethical move of any sort. The trader simply found an exploit and gamed the bZx protocol. Decentralized systems need to be robust on their own, without human intervention.
Incidents like this will only push DeFi protocols to implement better standards. This one event will go a long way in improving the overall robustness of DeFi.
Earlier, Crypto Briefing claimed the reason the trader used Uniswap was that bZx used Uniswap as a price oracle for the protocol. The bZx team has since refuted these comments, with co-founder Kyle Kistner stating “we can mostly say what didn’t happen more than what did at this point.”
People in the DeFi community still speculate that there is a connection between bZx and Uniswap that explains the scenario. bZx claims the trader exploited a comprehensive vulnerability in the smart contract and an upgrade has already been deployed to curb this from happening in the future. The project has additionally stated that they use Kyber as a price oracle and query the bid and ask components of orders.
Share this article