bZx attack explained: the team admits their mistake

Yesterday, the bZx team published a post on the official blog with which they explained what happened during the attack and admitted their mistake.

The long post is in fact entitled “Mea Culpa: A New Beginning” and ends by saying: 

“We have learned our lesson, and we are sorry. We will be better and we will do better. To the community, we want to say that we have great love for you, and we hope to earn that love back through our actions. This project is very personal to the people working on it, made with every ounce of love we have. As we move forward, we want to remind the community of the value of warmth and compassion in keeping passionate builders building even as we are kept accountable”.

The post is a full report of all the main vulnerabilities detected within the protocol with a description of the latest attack and the decisions made to mitigate security risks in the future. 

Despite the two hacks, the project is moving forward, to the point that on defipulse.com it’s still tenth overall in terms of locked funds, with almost $9 million, ahead of Lightning Network. 

Furthermore, the bZx team confirms that the audited changes have been made and traders can now close their positions. It remains to be seen, once the positions are closed, whether more positions will be opened and then whether the project can really continue to move forward with the new changes. 

The team also admit that funds have been lost, but they still claim that the users’ funds are safe because the company and the stakeholders of the protocol are absorbing the losses. 

The team also announced that changes will be made to the way the insurance fund acquires value in order to accelerate its ability to fully cover the loss, as it is currently only expected to be absorbed in 2285. 

The insurance fund currently receives revenue from 10% of the interest paid by borrowers, but two additional new revenue streams will be introduced: commercial revenue and arbitrage. 

The post also explains in detail all the actions carried out by the attackers, most of them already known, and reveals that the vulnerability that allowed it is the result of an update of the protocol published in early January that added a flash loan function with only 40 lines of code. 

The code was unverified and contained a function that allowed arbitrary calls which resulted in the approval of a token allowance on users’ wallets. 

Believing that this vulnerability would not be discovered quickly, bZx decided not to discontinue the service with the idea of publishing the patch by the end of February. However, in the first half of February, it was discovered and used to launch two attacks. 

In particular, bZx reveals that they were contacted on January 20th with a bounty request from the attackers. 

While agreeing to pay, they decided not to pay the entire reward immediately, thanking for the discovery of such a serious exploit. They then tried to negotiate. However, they admit that this turned out to be a serious mistake, for which they take responsibility. 

Furthermore, the team admits that it was “negligent” to add flash loans to the mainnet without checking the code, and that the protocol was lacking in its capacity to finance adequate security measures. 

BZx also reveals in the post what changes they have made and how they intend to handle such emergencies in the future, but this is not necessarily enough to restore users’ confidence. 

On the contrary, in a world that relies on decentralized protocols which should be trustless, the fact that the proper functioning of code relies on the trust of those who developed it casts many shadows on the future of this project.