A blog on financial markets and their regulation
bZx attack translated into mainstream finance
February 21, 2020Posted by on
A few days back, the cryptocurrency based Decentralized Finance (DeFi) platform bZx was subject to an attack/exploit/arbitrage in which the hacker made a gain of over $ 300,000 without investing any capital at all. There are a lot of detailed explanations of this attack from a crypto and smart contract perspective (the BzX Full Disclosure is quite good and Korantin Auguste’s description is even better).
My purpose here is to translate the entire set of operations into equivalent transactions in mainstream finance. I find that each individual element of the attack occurs quite commonly in mainstream finance. What is new is the ability to compose these together and execute them within seconds. What is also new is the ability to obtain unlimited leverage by eliminating information asymmetry.
In terms of mainstream finance, the components of the attack are:
- Trade A: Buying a large quantity of any security in an illiquid market very quickly will raise the price massively. This trade will cause a large loss as the security is bought at an inflated weighted average price.
- Trade B: Trade A is immediately reversed by selling the same security very quickly. Since the security is sold at an inflated weighted average price, Trade B produces a large profit which is ideally equal to the loss made by Trade A.
Leverage and Bankruptcy: Trades A and B together cancel out and would ideally exactly break even. To make the combined trades profitable, Trade A must be financed with a lot of debt and encapsulated in a limited liability vehicle which is put into “bankruptcy”. If this can be done, a major part of the losses of Trade A will fall on the creditors of the Trade A vehicle, while the profits of Trade B will of course accrue to the attacker.
This is quite common in mainstream finance with private equity firms putting their failed companies into bankruptcy while mopping up the gains from their successful companies. Before initiating bankruptcy, private equity firms will pay themselves as much dividends as they can get away with. The shenanigans of TPG and Apollo with Caesars Entertainment are a good example of the state of the art in this field.
Margin Trade: The natural way to introduce debt into Trade A is to use a margin trade. The margin trade lender will demand two kinds of collateral to back the trade: the security that is bought would have to be handed over as collateral, and in addition a cash margin would have to be provided to cover the risk of any fall in value of the security during the life of the margin lending.
Short Sale: The margin trade creates one complication: as explained above, the security bought in Trade A will lie in the Trade A vehicle as collateral for the margin trade. The attacker will need a different source of the security to be sold in Trade B. The standard solution in mainstream finance to this problem would be a short sale: the attacker would borrow the security, sell it in Trade B and repay the loan over a few days by buying it back gradually with minimal impact cost.
Financing all the collateral: The entire sequence of trades requires cash collateral or margins:
- Cash collateral for the short sale borrow
- Cash collateral for the margin trade.
In mainstream finance, this financing will require substantial equity provided by the attacker. This is where the crypto world is different. the radical transparency of smart contracts allows unlimited leverage as discussed later below.
The Five Steps in the Actual Attack
The BzX Full Disclosure enumerates the five steps in the attack. In my explanation of these steps below, I will refer to ether (ETH) as cash because it is the native currency of the Ethereum blockchain in which all these smart contracts are executing. Similarly, I will refer to the token being traded – wrapped bitcoin (WBTC) – as the security. WBTC can be thought of as a bitcoin ETF that trades on the Ethereum blockchain and can therefore be managed by Ethereum smart contracts. The bitcoin underlying WBTC resides in its own different blockchain, and Ethereum smart contracts cannot transfer these underlying coins. WBTC solves this problem because it resides on the Ethereum blockchain. But it must be borne in mind that WBTC is far less liquid than bitcoin.
- Flashloans (Unlimited leverage with smart contracts): The crypto world is very close to the frictionless theoretical models of economics and finance in which a riskless arbitrage will attract unlimited amount of money. In the real world, there are various leverage constraints and other limits to arbitrage (Shleifer, A. and Vishny, R.W., 1997. The limits of arbitrage. The Journal of Finance, 52(1), pp.35-55.). If one thinks about it deeper, a riskless trade should be subject to a leverage constraint only in the presence of an information asymmetry. It should then follow that if we can find a way to eliminate the information asymmetry completely, then riskless arbitrage should support unlimited leverage.
The world of smart contracts and immutable code in the crypto world provides an excellent example where we can see this phenomenon in action. The smart contract that makes this possible is the Flashloan which is described in the white paper (alternatively, you can take a look at this simpler explanation). In short, the flashloan borrower presents a smart contract that (a) executes the entire “arbitrage” and (b) repays the loan. This is a single atomic transaction that either succeeds completely or fails completely. The computer code simulates the entire transaction. If at the end, the loan repayment happens, then the transaction goes through and is broadcast on the blockchain. If the loan repayment does not happen, then the entire transaction is reverted – the state is restored to what it was earlier. The loan is not granted and the transaction does not happen.
In the real world, you cannot give a loan for a factory, check whether the factory actually turns out to be profitable enough to repay the loan, and then undo both the granting of the loan and the construction of the factory if things do not work out. But if everything is virtual and on the blockchain, this is exactly what you can do.
The attacker borrows cash of 10,000 ETH (roughly $ 2.5 million) using a flashloan. The fact that a completely unknown entity can borrow the equivalent of $ 2.5 million without any collateral and without any risk to the lender is one of the miracles made possible by the smart contracts of Decentralized Finance (DeFi).
Compound Transaction (Security Borrow): In this step, the attacker deposits a little more than half of the cash borrowed in Step-1 as margin to support a security borrowing transaction to borrow 112 WBTC (worth roughly $ 1 million).
Margin Trade or Trade A: The attacker deposits a little more than one-eighth of the cash borrowed in Step-1 to buy the security with 5:1 leverage. This is a huge whale-size trade in this market (recall that WBTC is an illiquid security) and there is only one liquidity provider that can meet this demand – a market-maker smart contract called Uniswap. This contract which is nicely explained in the Uniswap Whitepaper can always provide unlimited liquidity; but for large size trades, it offers absurdly distorted prices. Let me illustrate its algorithm using the example of market making between the US $ and Japanese ¥. Imagine that the market maker starts with $ 10,000 and ¥ 1 million and an exchange rate of $ 1 = ¥ 100. The smart contract uses a very simple formula to guide its operations. It multiplies $ 10,000 by ¥ 1 million to arrive at the product of 10 billion, and its sole goal in life is to keep this product of 10 billion unchanged during all the trading that it does. Suppose you went to this contract with ¥ 1,000 and asked it to give you dollars, it would give you $ 9.99 at an exchange rate of 100.1 ¥ / $ which is only a slight spread above the fair value of 100.1 ¥ / $ . At the end of this trade, the contract owns $ 9990.01 and ¥ 1.001 million, and the product is still 10 billion. Suppose instead, that you had gone to this contract with ¥ 10 million and asked it to give you dollars, it would have given you $ 9090.91 at the ridiculous exchange rate of 1,100 ¥ /$ . After this trade, the contract is left with $ 909.09 and ¥ 11 million and the product of these two is still 10 billion. This contract never declines a trade because it is too large. It simply distorts the price so much that it has enough money to pay out. The Uniswap market maker contract is designed to be used for small trades (say 1-2% of the available liquidity like the ¥ 1,000 trade, and not for trades of ¥ 10,000 let alone ¥ 10 million.
But for the attacker, creating a distorted price was the goal and it succeeded in achieving this. It bought 51 WBTC at a price of around 110 as against the fair price of less than 40. This is where a bug in the margin trade contract came into play. The contract required 20% margin (5:1 leverage) and the code was supposed to compute the adequacy of the equity in the position by valuing the security (WBTC) using an external price feed. If it did that, the code would have seen that the trade has negative equity (of about -2,300 ETH or about $ 0.6 million). The 51 WBTC valued at the fair price of less than 40 would be only around 2,000 ETH which is less than half the 4,300 ETH borrowed in the margin trade (the purchase price is around 5,600 while the cash margin provided by the attacker was only 1,300).
This is where the non recourse or limited liability nature of the margin borrow smart contract comes in. The critical point is that bZx does not have recourse to any other assets of the attacker (for example, its equity in the security borrow of Step-2). The attacker can simply walk away leaving bZx with the loss of $ 0.6 million in this contract. Of course, it loses the 51 WBTC lying in the contract, but that is what happens in any mainstream bankruptcy: you leave the assets behind and walk away from the debt.
Dump the borrowed security (Trade B): This trade which is also with the Uniswap market maker smart contract allows the attacker to sell the 112 WBTC borrowed in Step-2 at an inflated average price of 61.4 which is more than 150% of the fair price. I do not understand why the attacker sells more than what it bought in the previous step. As a result of the suboptimal (?) sizing of this trade, the attacker makes a gain of only around $ 0.3 million as against the $ 0.6 million loss caused to bZx.
Repay the flashloan: At this point, the attacker has enough cash to repay the flashloan of Step-1 despite the fact that over half of the proceeds of this loan are still locked up in the security borrow of Step-2. Indeed. the equity of the attacker in this security borrow (cash deposit less the value of the borrowed WBTC) is the profit of the attacker.
All the five steps listed above were completed in a few seconds (an Ethereum block is created every 15 seconds on average). What remains is to buy back WBTC to repay the security borrow (Step-2) and recover the cash trapped in that contract. The attacker is in no hurry to do that because it wants to minimize the impact cost of such a large trade. In a couple of days, this is done and the cash gains have been realized.
This shows that the problem with Decentralized Finance (DeFi) is not that the attacker is anonymous, nor that everything happens in a few seconds leaving others with no time to respond. The attacker’s gains are trapped in the security borrow for a couple of days. The difference with the real world is that DeFi has no provision for what in mainstream finance would be called piercing the corporate veil. In DeFi, there is no court to say that the owners of Step-2 and Step-3 are one and the same, and therefore the losses in the latter can be recovered from the gains in the other. In a blog post last year, I discussed the view of some scholars that mainstream finance itself takes limited liability too seriously, but DeFi seems to take the idea of limited liability to even greater dogmatic extremes.
To my mind, the vulnerabilities in mainstream finance and DeFi are broadly the same. In mainstream finance, smart lawyers find and exploit flaws in the legal code (legal terms of the contract): see for example, Matt Levine on Caesars Entertainment, on Hovnanian CDS and on McClatchy CDS. In DeFi, smart programmers find and exploit flaws in the software code. In both cases, the contracts behave differently from what they expected and get upset. For people on the outside with no stakes in the outcome, the exploitation of legal and software bugs are alike examples of intellectual creativity that can be admired, enjoyed or criticized.