DeFi Audits (due diligence beyond static Solidity code) & bZx Post-Mortem (explaining what happened in detail and what we can learn from it)
We emphasize that this is not an oracle attack. Instead, it is a clever arbitrage execution, which did exploit a bug in bZx smart contract implementation to allow for the leakage of supposedly-locked bZx funds to Uniswap and further absorb the leaked funds into a Compound position.
We will be working towards the three medianized oracle price feed model initially proposed in our whitepaper. This will be done in three steps.
In Phase 0 we will use Chainlink to provide reference prices. In Phase 1 we will incorporate both Chainlink and Band protocol oracles. The final form of the oracle system will be to include price information from Chainlink, Band, and Uniswap v2.0. The prices will be medianized, and that median price will be used as the reference rate.
Decentralized finance (DeFi) lending protocol bZx has just been exploited. While the exact amount of lost ether (ETH) is not yet known, bZx co-founder Kyle Kistner said: “a portion of ETH [has been] lost.”
By relying on an on-chain decentralized price oracle without validating the rates returned, DDEX and bZx were susceptible to atomic price manipulation. This would have resulted in the loss of liquid ETH in the ETH/DAI market for DDEX, and loss of all liquid funds in bZx. Fortunately, no funds were actually lost.
Lenders and depositors are coming back to bZx, as the decentralized protocol for margin trading offers significantly higher yields on ether deposits compared to its peers.