bZx outlines changes in development framework after DeFi lending protocol exploits

The team behind the Ethereum-based lending protocol bZx has published a review of the recent attacks on its network, claiming that it has reworked its oracle design, development framework, and review processes for new code.

The series of attacks on bZx first took place on Feb. 14, when someone exploited a bug in the system and ultimately profited an estimated amount of $350,000. A second attack followed three days later, resulting in an estimated loss of $645,000 worth of ETH. 

In another turn of events, decentralized exchange aggregator 1inch.exchange came out on Feb. 20 and alleged that it found a $2.5 million worth of vulnerability in bZx’s Fulcrum lending protocol more than a month prior. However, according to 1inch.exchange’s allegation, bZX neither informed the users nor paid them a bounty reward.

In a Monday blog post, bZx co-founder Kyle Kistner looked back on the incidents and outlined measures that the platform is taking to mitigate security risks in the future. 

According to Kistner, the second attack was made possible due to vulnerabilities in the existing oracle system. bZx is, therefore, working on a new oracle design that would eventually include price information from Chainlink, Band, and Uniswap v2.0. In Phase 0, however, the system will temporarily rely on Chainlink alone for reference prices. 

Notably, the platform will also alter the way new codes get added to make sure that the whole ecosystem has more time to review them. 

"We will transition to an EIP-like system for cataloging new features and improvements to the protocol," Kistner wrote in the blog post. "This will make the process of how new code gets added completely visible to the public. Features should not be added as a surprise or at the last moment. Rather, they should go through a lengthy public process so that all ecosystem participants are able to make themselves familiar with the state of the code."

Additionally, bZx will have its newly refactored code go through a security audit, formal verification, and an economic audit before the platform becomes fully functional again, according to Kistner. 

"We believe that full test coverage, static analysis, and formal verification could have all formed additional lines of defense against the very first attack that bypassed the safety check on collateralization," he said. "We believe that an economic audit would have been particularly valuable in preventing the second attack."

"We will never again publish unaudited code, no matter how few lines or trivial," he added.

Regarding 1inch.exchange's complaint, Kistner apologized for the fact that bZx failed to pay the bug bounty right away. 

"Rather than simply pay the full bug bounty immediately, with extreme gratitude for finding such a serious exploit, we tried negotiating," he said. "This was a serious mistake that we need to take responsibility for. Under no circumstances should this have happened, and we sincerely apologize."