Connect with us

Blockchain

The unluckiest DeFi protocol? A personal take on bZX’s tumultuous year

Avatar

Published

on

Decentralized finance platform bZX has frequently been in the spotlight this year, only not for the right reasons. Most DeFi platforms popular today, including bZX, began their journey around 2018, at the tail-end of the initial coin offering boom. In 2019, DeFi started gaining traction, though it was still a somewhat ignored sector of the industry.

As growth continued, suspicions began to rise that major hacks, typical of the digital asset sector, were overdue. Due to the complexity and novelty of these platforms, it was reasonable to assume that not all of them were impervious to bugs.

This year can be characterized as a testament to the saying, “When it rains, it pours.” Unfortunately for bZX, it became the first major DeFi platform to suffer a large hack, in February of 2020. It also became the second platform to be exploited, as two back-to-back attacks crippled the project and forced it to miss out on the majority of the DeFi boom.

Related: Are the BZx Flash Loan Attacks Signaling the End of DeFi?

While some other platforms followed suit, bZX’s woes were not truly over: shortly after its relaunch in September, it was hacked once again. While it may appear to have been the final blow for the project, co-founder Kyle Kistner remains optimistic that the platform will bounce back.

“Ever since we got the money back and the funds are safe, we’ve got a whole bunch more total value locked and a huge amount of trading volume,” Kistner said in an interview with Cointelegraph. “We haven’t quite made it back to where we were, but our trading volumes have been really exploding.”

Kistner reiterated many times throughout the interview that despite all these hacks, the platform never conclusively lost its users’ money. The early victims were refunded, while the September hacker was essentially caught red-handed through blockchain analytics and returned the money. Be that as it may, Kistner and the bZX team’s journey this year has been tumultuous, to say the least.

Caught with their drinks up

Cointelegraph: The first bZX hack occurred on Feb. 14 while the team was away at the ETHDenver conference. How did you learn of the attack?

Kyle Kistner: We were at this afterparty, it was the Keep and Compound happy hour. We’re sitting there, we’re talking with Ryan [Berkun, CEO of Tellor] and he was telling me about how he had just put in some money in Fulcrum, he was showing me the interest rates. I noticed that the interest rates for ETH were abnormally high. And I was like, “Oh, that’s really strange.”

I talked to Tom [bZX’s CEO] about it and I felt like something’s really weird about it. Later in the night we got a message from Lev Livnev from DappHub, who noticed a strange transaction, which was basically the one that created this very high interest on the iETH pool.

And you know, we had been drinking and so we needed to sober up. It was this crazy experience, it was 11:30 at night, we were partying with the rest of the industry people and suddenly you’re thrust into this very serious situation. As we were investigating, we realized that we need to pause the whole system.

There wasn’t really a pause button designed on this thing, but we did hack together a solution by disabling the oracle whitelist. This worked to prevent more money from being taken.

Then I called my wife, I’m saying “I don’t know how I’ll be able to face the people in the industry, go back down to ETHDenver, see everybody there.” I thought for a moment that maybe I’ll just pack my bags and go home, but my wife talked me out of it. Tom was just sitting there, catatonic for a little bit, the whole thing washing over him.

The second hack

Eventually Kistner and the team regrouped. They managed to catch a lucky break — the protocol did not automatically spread the loss of more than 1,100 ETH, worth about $300,000, among all platform users. This gave them a chance to fully return the money down the line and allowed the business to continue. “That gave us a lot of morale,” Kistner said.

When the team showed up at ETHDenver the next day, Kistner said that “people were actually congratulating us. There was a lot of support, people were saying, ‘We’re builders, you’re builders, we’re all in this together.’”

CT: And then the second attack happened. How did you find out about it?

KK: We had just arrived at this restaurant. We were up at the ski retreat in Colorado, we helped organize it and we were really excited about it. We ordered all of this food, and Tom is looking at his phone — he likes to just go through the different transactions that are on the system, especially if anything looks weird or strange. So he looked at this one transaction and it looked really weird because it had contracts being deleted and it had a flash loan and it had basically small amounts being called repeatedly over and over again.

So we looked at that transaction and it took us about two seconds to be like ‘Ok, somebody got hacked.’ This doesn’t look right at all. We knew it involved our system.

So the food arrived, it was like a hundred dollars worth of food for three people. The moment it arrived on the table, I got up and I said, “Can I pay the bill?” and handed them the card. Tom was already sprinting home and we just all booked it, we just all started running through the snow and, you know, it was a seven-minute jog from the restaurant to our place.

We manned our battle stations, paused the system, started to triage and diagnose the issue. […] By that point we were like ‘we know how to handle this, if there’s some money taken it’s not the end of the world.’ Unfortunately, since lightning did strike twice, a lot of the goodwill that people were extending us before had been substantially eroded.

Reflecting on what went wrong

The two hacks forced the team to shut down and rebuild the protocol. Since then, other projects saw vulnerabilities exploited as well, but none had multiple hacks occur within a short span.

CT: The number of breaches suffered by bZX raises questions about the project’s practices. Could it just be bad luck, or is there something deeper at play?

KK: It’s not a coincidence. So there’s two things: one is that we made a mistake, and we had a security auditor that kind of didn’t completely do [their job]. There’s one issue I’m trying to get at here — basically there’s a number of factors that went into why we had Kyber as an oracle [the primary vulnerability resulting in the second hack].

It was a conceptual vulnerability that really an auditor should have caught, but we shouldn’t have been using it. We had an understanding that Kyber wasn’t optimal, but we kind of stubbornly refused to centralize the oracle. We didn’t have Chainlink, which we could just plug in at the time, so the only other option was to centralize the oracle.

Now, the first hack was basically a typo-level bug. I think this was due to not having proper processes in place. […] We were a small company. We were not backed by a whole bunch of venture money, like a lot of the other lending protocols. Now we are, we’re a much larger and much more mature company.

Auditors are not one and the same

Auditing smart contracts is considered a crucial step before the protocol’s launch. Unaudited protocols are considered less safe, so much so that Yearn Finance’s creator says he purposefully dampened excitement about his project by withholding the fact that the protocol was audited.

CT: So what exactly happened with the audit of your code by ZK Labs?

KK: I feel like somebody needs to know this story. So we were new and we were kind of green to the industry. We had just built this version one of our protocol, it was like the beginning of 2018. We just put our stuff on the testnet, but we didn’t really know the security auditors in the space.

So we asked around and first got referred to the Acacia Group. […] They scoped it out and they basically said, “We’re out of our depth here.” So we needed to find a different auditor and eventually we found ZK Labs. We thought ZK Labs was super reputable. […] Matthew DiFerrante [ZK Labs founder] was associated with the Ethereum Foundation, he had worked as a security engineer there.

Now, what I didn’t know is that behind the scenes, all the other security auditors in the space didn’t really like Matthew. They felt like he was very unprofessional and not doing a good job. […] He seems like a smart guy, I guess, but it seemed that he had a lot of difficulty dealing with the workload.

We got our protocol audited by them, and it was pretty clear that there’s actually only Matthew DiFerrante doing the auditing. He charged us about $50,000, which for us — a completely bootstrapped company — was like a huge, huge sum of money.

But we tried our hardest to raise funds and do what we could — and we did. We raised fifty thousand for this audit, but it felt like we were somehow being jerked around. […] We had our stuff ready for him around the beginning of March, but it was closer to September that it was actually done — and only after a lot of teeth pulling and yelling.

When we looked at the audit, we found these typos — there was a place where there was Chainlink’s name instead of ours. He didn’t replace the names. And we were like, “How long did you spend auditing this? Did you really audit this or did we get scammed by ZK Labs?”

That was kind of the question in our minds. He made some suggestions that were helpful, he noticed there was a critical bug. It’s not like he didn’t do anything at all, but we came away not being at all convinced by the audit.

Kistner further added that other security companies like OpenZeppelin or Trail of Bits would have cost the company about $200,000, “And we did not have that [money].”

Are code audits overrated?

BZX’s third hack came right after two major audits by Certik and PeckShield, which seem to have let a subtle bug pass through their nets. Platforms like Aave and Compound also suffered from at-launch vulnerabilities, he said, despite the fact that they were audited extensively.

CT: Do you still believe that audits add value?

KK: Audits are great. If you look at Compound, Aave or others, there are quite a few serious vulnerabilities that were found as a result of the audits. If they didn’t go through them, there’d just be that many more vulnerabilities.

You can’t expect two or three audits to find every single bug. People need to understand that. That’s what the bug bounties are for — when you have the code publicly audited, there are just so many more eyes.

The silver lining to these experiences

Following the initial incidents, bZX overhauled the company and its security practices. Its total value locked rebounded after September, reaching more than $20 million. While this is a far cry from some of the larger protocols, the figure is still notable given the project’s tumultuous year and lack of direct subsidies for putting assets in the protocol.

Related: Yield Farming Fuels Buzz Around DeFi, but Fundamentals Are Lagging

Kistner said that the team “probably parlayed the [negative] publicity into better recognition and more usage of the protocol overall.” The time has also allowed them to find “something that people really like,” he added. The team is focusing on a long-term perspective, and its twist on yield farming includes a vesting period, which is seen as a mechanism that discourages short-term capital from joining.

At the same time, Kistner believes that the experience allowed bZX to avoid becoming a venture-led project. “We see ourselves as more of a maverick, more of an outsider type of protocol.”

When asked about the investments that the company has received since, he said that “it was a very small round” and that they “didn’t give up any equity or control.”

In the end, the jury is still out on whether bZX can catch up on lost ground. The hacks dealt crippling blows that could have easily resulted in the death of the project, but the team persevered and is bouncing back. The bZX story, however it evolves, remains an important warning for other projects and DeFi users: There is a lot more that goes on in creating a safe product beyond just paying money to auditors.

Source: https://cointelegraph.com/news/the-unluckiest-defi-protocol-a-personal-take-on-bzx-s-tumultuous-year

Blockchain

Bithumb Temporarily Shuts Down Some Offices As Korea Faces Another Possible COVID-19 Outbreak

Avatar

Published

on

South Korea’s largest cryptocurrency exchange Bithumb announced today that it is shutting down its offline offices as Korea struggles with a renewed coronavirus outbreak.

Bithumb Suspending Offline Support

Since the start of November, the country has been recording increased daily cases of COVID-19, with the number tripling in the last nine days. This has raised fears that South Korea has entered a third wave of the pandemic.

As authorities are taking measures to strengthen social distancing to curtail the spread of the virus, Bithumb said in its announcement that it intends to suspend its Seoul offline support service temporarily.

Bithumb noted that the Gangnam center office shutdown will begin on Tuesday, Nov 24, and will remain closed until further notice.

“We ask for your understanding of any inconvenience in using the service, and we will inform you of the normalization time of offline Gangnam Center operation through a separate notice,” the exchange said.

Bithumb Raided

In September, Bithumb was the headline across the crypto space. The exchange’s head office was reportedly raided three times as local authorities searched and confiscated company documents. In one of the raids, they seized dozens of shares in Bithumb Holdings belonging to Bithumb Korea Director Kim Byung-Gun.

The police accused Bithumb of fraud related to the $25.2million BXA token presale conducted by the company. Before the presale, Bithumb promised to list the token for trading after the event but failed to do so, causing investors to suffer massive losses.

Two weeks after the raids, authorities summoned Bithumb’s Chairman Lee Junh-hoon for questioning.

Bithumb For Sale?

Following the raid and probe, another report claimed that the exchange was up for sale with a price tag ranging from $430 million to $604 million. The report revealed that foreign financial investors and domestic private equity funds had shown interest.

However, Bithumb has remained quiet about the sale as well as the police investigation.

SPECIAL OFFER (Sponsored)
Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).

PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO35 code to get 35% free bonus on any deposit up to 1 BTC.

You Might Also Like:


Source: https://cryptopotato.com/bithumb-temporarily-shuts-down-some-office-as-korea-face-another-possible-covid-19-outbreak/

Continue Reading

Blockchain

IDEX Announces Multi-Chain Solution and Expands to Polkadot and Binance Smart Chain

Avatar

Published

on

The popular decentralized cryptocurrency exchange (DEX), IDEX, has announced a multi-chain solution that is intended to expand its entire infrastructure to additional blockchains, namely, Polkadot and Binance Smart Chain.

IDEX Expands to Binance Smart Chain and Polkadot

In a press release shared with CryptoPotato, IDEX has revealed its multi-chain solution. Called Multiverse, it’s intended to expand the DEX’s infrastructure, including its layer-2 scaling and staking solutions to additional blockchains.

Its first implementation is going to be deployed on Polkadot’s layer 0 and Binance Smart Chain’s layer 1. This will enable the trade of digital assets on each of the platforms. In addition, IDEX token holders will also benefit from staking options starting from November 23rd.

It’s important to note that Polkadot will be used as layer 0. This means that IDEX will use a parachain of Polkadot in order to tap into its ecosystem. An example of this is Moonbeam. Speaking on the matter was IDEX co-founder and CEO Alex Wearn, who said:

In the past year, we’ve seen several new smart contract platforms emerge, each with a unique set of capabilities and assets. As these platforms grow, we’ll see increased demand for trading these assets and a need for non-custodial trading solutions that support these networks.

Attempts of Further Growth

It goes without saying that both Binance Smart Chain and Polkadot have gained serious popularity, offering an alternative to Ethereum’s network, which was troubled with congestion and high fees as the DeFi boom was at its peak.

IDEX hopes to bring its technology to emerging smart contract platforms. Through its Multiverse, the decentralized exchange aims to become a one-stop app for trading crypto assets on a range of different blockchains through a unified and secure platform.

All of its infrastructure, including its layer-2 system, will be further deployed on each layer-1 network. Independent assets will be issued on every new chain to support IDEX’s new layer2 economic model.

With this in mind, the first multi-chain IDEX tokens that are designated for Binance Smart Chain and Polkadot are IDXB and IDXP, respectively.

SPECIAL OFFER (Sponsored)
Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).

PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO35 code to get 35% free bonus on any deposit up to 1 BTC.

You Might Also Like:


Source: https://cryptopotato.com/idex-announces-multi-chain-solution-and-expands-to-polkadot-and-binance-smart-chain/

Continue Reading

Blockchain

Yearn Finance absorbs Pickle to boost DeFi rewards

Avatar

Published

on

Decentralized finance protocol Yearn has announced a partnership with Pickle Finance to bolster yield farming incentives, and compensate victims of the recent Pickle exploit that resulted in the loss of almost $20 million in Dai.

According to an announcement from Yearn founder Andre Cronje, the move is designed to reduce duplicate work, increase specialization, and leverage shared expertise. Pickle Finance vaults, or ‘Pickle Jars’ as they’re known, are cloned versions of Yearn’s v1 yVaults so the code is similar.

Pickle Finance incentivizes farmers to sell stablecoins that are trading above their peg and buy ones that are below it, to keep them closely aligned with the dollar upon which they’re based.

Cronje said the first step would be to merge Pickle Jars and Yearn’s v2 Vaults and merge both protocol’s total value locked, or TVL. He stated that further integration is planned.

The end goal is to bolster returns for yield farmers with Pickle strategies earning increased performance fees under the new Yearn fee structure. Yearn Finance, which recently formalized an operations budget, plans to onboard Pickle developers and strategy creators to design new strategies and fee structures for the new vaults.

Pickle will introduce reward Gauges, with tokens distributed to those who stake Yearn vault tokens. These tokens can now be time locked in escrow and will be called DILL which can also be used to participate in Pickle governance and boost rewards received from Yearn Vault gauges.

Some in the community questioned whether there should have been a governance vote on the decision but Yearn team member ‘@tracheopteryx’ explained this would not be necessary.

He stated that creating new Yearn Vaults, such as the newly merged Pickle Jars, are completely permissionless so no voting is required. Additionally the new Gauges emit Pickle tokens, not Yearn’s, and rewards are in DILL, not YFI.

Pickle Finance was recently hacked in a Dai vault flash loan exploit which resulted in the loss of almost $20 million. Its native token PICKLE collapsed 50% on November 21 from $23 to $11. Following the news of the merger with Yearn, it spiked to almost $30 but has since dumped back to around $16 at the time of press.

A new token called CORNICHON will be created to track losses stemming from this attack. Tokens will be minted against a snapshot of balances at the time of the attack, and distributed to victims proportionally, the announcement added.

Additionally, a claim was recently filed with DeFi insurance protocol Cover to offer as much as $340,000 in compensation if approved by majority vote.

Source: https://cointelegraph.com/news/yearn-finance-absorbs-pickle-to-boost-defi-rewards

Continue Reading
Blockchain4 days ago

Bitcoin Suisse to Deposit Nearly 100,000 ETH to Ethereum 2.0

Blockchain3 days ago

Bitcoin supply shortage is due to overwhelming PayPal support

Blockchain4 days ago

US Government to Use USDC Stablecoin to Bypass Venezuela’s Maduro

Blockchain4 days ago

Bitcoin Is the Biggest Big Short

Blockchain5 days ago

HEX Dumps Amid 24-hour LiveStream

Blockchain4 days ago

Why this Ethereum DeFi coin has surged 400% in two days

Blockchain4 days ago

How to Invest in DeFi (The Sequel)

Blockchain4 days ago

Ethereum 2.0 Deposits Near 200,000 ETH

Blockchain4 days ago

Companies Like PayPal Are Adopting Crypto Quicker Than Ever

Blockchain3 days ago

The Long Arm of Justice: How Far Can the DoJ Really Go in Prosecuting Foreign Actors?

Blockchain4 days ago

Cardano on schedule to deliver Goguen, reveals Hoskinson

Blockchain5 days ago

Simon Peters: $20,000 is next target for Bitcoin

Blockchain3 days ago

DeFi Protocol Pickle Finance Hacked For $20 Million

Blockchain4 days ago

CorionX to be listed on BitMart Exchange

Blockchain4 days ago

Argentina and Brazil Get Their Own Stellar Stablecoins

Blockchain4 days ago

Chainalysis Becomes Newest Crypto Unicorn After $100M C Funding

Blockchain4 days ago

SushiSwap’s SUSHI Continues Ascent, Rallies 10% on $1B in Deposits

Blockchain4 days ago

Uniswap User Loses $20,000 With a Fake Google Play Store App

Blockchain4 days ago

Market Wrap: Bitcoin Hits $18.8K as Total Crypto Locked in DeFi Passes $14B

Blockchain4 days ago

Is current Bitcoin trend a Bull trap – $20K beckons extended BTC/USD rally

Blockchain4 days ago

3 Reasons Why Analysts Think Bitcoin Will Move Higher After Rally to $18,800

Blockchain4 days ago

BlackRock’s Rick Rieder Says Bitcoin Could Replace Gold

Blockchain4 days ago

US Regulator Seeks End to Bank Deplatforming of ‘Disfavored’ Industries (Like Crypto)

Blockchain4 days ago

Bitcoin’s 14% Weekly Increase Eyes the ATH: The Crypto Weekly Market Update

Blockchain4 days ago

Bitcoin’s 14% Weekly Increase Eyes the ATH: The Crypto Weekly Market Update

Blockchain2 days ago

Crypto.com Launches Visa Cards for Canadians

Blockchain2 days ago

Chainlink Likely to See an Impulse Higher as Bulls Break Key Range

Blockchain5 days ago

Poker players now request more cash out in Bitcoin

Blockchain4 days ago

Uniswap User Loses $20,000 With a Fake Google Play Store App

Blockchain3 days ago

XRP Surges 30% Higher—and Analysts Think There’s Upside to Come

Blockchain4 days ago

Uniswap User Loses $20,000 With a Fake Google Play Store App

Blockchain3 days ago

Bitcoin’s 14% Weekly Increase Eyes the ATH: The Crypto Weekly Market Update

Blockchain4 days ago

Malaysia Hits Midtou and Actionnode with Regulatory Warnings

Blockchain2 days ago

Polkadot Aims to Become The New Home for The $14 Billion DeFi Industry

Blockchain2 days ago

Crypto Investment Manager DAiM Launches Company-Sponsored Bitcoin 401(k) Retirement Plans

Blockchain3 days ago

88MPH DeFi Token Rallied By 375% After Suffering A Bug: Report

Blockchain17 hours ago

Bitcoin shoots past $19,000 as new ATH awaits

Blockchain2 days ago

Luxury Watchmakers Announce Blockchain-Based Projects

Blockchain3 days ago

DeFi Project Spotlight: Rocket Pool, Staking Service for Ethereum 2.0

Trending