bZx’s $8M Hack is Third This Year and Two Weeks after Security-Focused Relaunch
Hello Defiers, here’s what’s going on in DeFi: bZx was hacked once more Cream Finance assets are soaring Forensics into the recent ETH slump The open economy is taking over the old one. Subscribe to keep up with this revolution. Click here to pay with DAI (for 70 Dai/yr vs $100/yr). Subscribe now ?Listen to this week’s […]
Check out the just-released video on The Defiant’s YouTube channel! The amazing story of SushiSwap. The video was produced in partnership with Robin Schmidt of Harmony Protocol.
? Together with Zerion, a simple interface to access and use decentralized finance, & Perpetual Protocol, which provides decentralized perpetual contracts for any asset.
bZx Hacked for $8M After Security-Focused Relaunch
bZx had relaunched just two weeks ago, highlighting its increased focus on security after attackers were able to make $900k in two exploits earlier this year. Last night, it was exploited once more.
The hacker was able to duplicate tokens received in exchange for deposits in the protocol, called iTokens, and then use those iTokens to withdraw more funds than they had initially deposited. The attack yielded about 219k LINK, 4.5k ETH, 1.8M USDT, 1.4M USDC, and 668k DAI, or about $8M in tokens.
The bZx team was able to cover the stolen funds with its own insurance fund, which is made up of the project’s token treasury and cash flows, and in a statement said “the protocol will move forward unimpeded.”
Image source: bZx blog
The BZRX token is up 3.8% from yesterday, in line with the rest of the crypto market, but it’s lost more than 60% in the past two weeks, according to CoinGecko.
“We are grateful that our precautions and system design are capable of resolving incidents like this without issue,” the blog post said.
No Big Deal
Some in the Ethereum community were perplexed by the team’s apparently nonchalant attitude after losing around 30% of total value locked in its smart contracts to yet another hack. Additionally, Bitcoin.com engineer Marc Thalen said in a tweet he alerted the team to the hack hours before they responded.
“Please, please pause operations until this can be re-audited and thoroughly analyzed--instead of saying ‘no big deal,” Compound Finance founder Robert Leshner said in a tweet.
Harder to Secure
bZx, which upgraded its protocol after the February hacks, had security firms Peckshield and Certix audit the code and it also performed “extensive automated testing,” according to its post mortem. The post also said the scope and ambition of the protocol make it harder to secure than others.
And yet, “all the diligence does not guarantee safety,” Aaves Stani Kulechov said. “Something that every DeFi user should understand.”
What happens when you fork Compound and add lending pools for DeFi’s most degen assets? You get Cream Finance.
In under a month since launch, Cream has aggregated more than $300M in TVL, according to DeFi Pulse, largely thanks to CREAM liquidity mining rewards.
Image source: DeFi Pulse
What started as a lending protocol for trendy DeFi tokens like SUSHI, yETH, and yyCRV has quickly blossomed into a vibrant market of 19 assets and counting, many of which are only available for lending on Cream.
Governed by CREAM, a token boasting a fully diluted market cap of $2.5B, the YOLO protocol is undergoing a suite of proposals to further lock (or even burn) a vast majority of the outstanding supply to fall more in line with its circulating market cap of $100M.
More than Lending
Last week, Cream unveiled C.R.E.A.M Swap, a native AMM allowing traders to enter and exit convoluted DeFi strategies without having to unwrap, unstake and sell positions composed of numerous assets across a multitude of protocols.
For example, users can go from yyCRV, a liquidity provision in Curve staked via a yEarn yVault, directly to USDC, rather than having to unstake and withdraw for ~$100 in gas.
As to be expected, liquidity providers in select pools are now earning CREAM rewards, currently averaging ~1000% APY at the time of writing. To note: Annual yields often exaggerate actual earnings, as its unlikely returns will remain stable.
What keeps the project afloat is an extremely active communication channel, with team members sharing updates on all CREAM and liquidity mining-related topics almost daily. While it’s unclear how long this cadence will last, the Compound-fork is quickly aggregating a trusted following of yield farmers living life on the edge.
This Week: Whales Cashed Out After Short-Term Traders Drove ETH Rally
Following a remarkable rally, cryptocurrency prices slumped over the past two weeks. DeFi tokens saw high selling pressure during this market-wide crash, following some of the largest returns since the March bottom. ETH which had also outperformed the market saw a drop of over 20% last week.
Leveraging Ethereum’s permissionless nature, IntoTheBlock is able to extract key data and formulate valuable insights about the recent market crash. With the price of ETH reaching levels not seen in over two years, on-chain data suggests traders ‘fomoed’ into buying throughout July and August. This is evidenced by the number of short-term ETH holders reaching yearly highs and by examining addresses’ profitability.
Moreover, it appears that institutional players and whales have been the ones driving the recent volatility. This may come as no surprise following the exuberant price action and the recent risk-off sentiment echoed in traditional markets.
Here are a few key insights analyzing patterns that had been emerging prior to the recent crash in ETH prices:
1. Ethereum Short-Term Traders Spiked Chasing the Rally
IntoTheBlock categorizes as traders those addresses that have been holding a crypto-asset for less than 30 days. As demand for Ethereum and DeFi protocols has risen significantly over the past few months, the number of ETH traders has been hitting yearly highs for three consecutive months. This trend broke in September as prices incurred a sharp correction.
While the number of addresses with a holding period of under one month hit a yearly high by the end of July, the volume of ETH held by traders continued to rise into August. With 14.59 million ETH being held by traders, approximately 13% of the circulating supply changed hands within thirty days, the highest in over two years. This would suggest that speculative activity had been rising along with ETH’s price.
2. 30% More Addresses are Losing Money at $340 than a Month Ago
By analyzing addresses’ profitability, we can corroborate that addresses bought heavily following ETH’s breakout. IntoTheBlock’s Historical In/Out of the Money (HIOM) indicator analyzes investors’ on-chain positions based on addresses’ average cost for a token, in this case ETH. Based on this, the HIOM calculates the percentage and the total number of addresses that are in the money, or profiting on their positions, and out of the money or losing money on paper. By comparing variations in the HIOM over time, we can determine buying/selling activity based on the number of addresses profiting at a specific price level.
As can be seen in the graph above, 31% of ETH addresses are currently at a loss (out of the money) compared to 25% on July 31st. This means that nearly 3.5 million addresses bought ETH at higher levels during August, indicating that buying activity during this time period might have gotten overheated.
Similarly, the number of addresses profiting (in the money) dropped significantly since the last time prices were at this range. This points to 1.5 million addresses realizing their profits and selling their ETH prior to or during the recent crash. Overall, this drop in address profitability would suggest that a substantial number of holders rushed into buying at higher prices, while others looked to realize profits. Using other on-chain indicators, we can have a better understanding of who has been leading the recent market crash.
3. Whale Activity Spiked as Prices Peaked
IntoTheBlock classifies as large transactions those that have a value above $100,000. These act as a proxy for transactions coming from institutional investors and whales. These had peaked during the March crash with $1.5 billion in ETH large transactions taking place in Black Thursday, but this has been overshadowed with multiple days hitting $3.0 billion in September.
As prices peaked on September 1st, $3.63 billion in ETH large transactions took place within 24 hours. This is the highest volume in ETH large transactions since January 2018, pointing to a considerable number of institutional investors taking profits as prices began to crash.
4. ETH Exchange Inflows Precede the Crash, but Drop Sharply Afterward
Exchange net flows subtract the volume of ETH entering exchanges minus the amount leaving exchanges. In general, inflows into exchanges should be taken as a precaution of holders potentially looking to sell.
In this case, significantly more ETH had been flowing into exchanges than out of them before the crash. As a matter of fact, $326 million more ETH flowed into top exchanges than out of them in the week between August 25 and September 1st. This was the highest weekly net inflow of ETH in 2020, even surpassing the one seen when traders panicked in mid March.
This trend reversed sharply shortly after, with a net $221 million in ETH leaving exchanges on September 5. On that same day, large transactions also spiked to $3.39 billion, pointing to whales likely withdrawing ETH from exchanges. This could potentially signal accumulation by large players following the 20% drop. However, it does not necessarily indicate that prices have reached a bottom.
Overall, on-chain data suggests that ETH holders had been overconfident throughout August as short-term traders reached their highest levels in years. At the same time, approximately 1.5 million addresses appeared to have taken profits since the last time ETH was at approximately $340. Spikes in large transactions and exchange inflows point to institutional investors and whales having sold prior to ETH crashing, but the sudden drop in outflows may point to many of them buying back following the drop of over 20%.
Jack Purdy of Messari has a great chart comparing AMM earnings, and how that compares to their token price.
The Defiant is a daily newsletter focusing on decentralized finance, a new financial system that’s being built on top of open blockchains. The space is evolving at breakneck speed and revolutionizing tech and money. Sign up to learn more and keep up on the latest, most interesting developments. Subscribers get full access at $10/month or $100/year, while free signups get only part of the content.
About the founder: I’m Camila Russo, author of The Infinite Machine, the first book on the history of Ethereum. I was previously at Bloomberg News in New York, Madrid and Buenos Aires covering markets. I’ve extensively covered crypto and finance, and now I’m diving into DeFi, the intersection of the two.