Internally, bZx uses Kyber to determine the mid-price for the tokens involved in the position (it averages the price from both directions: call 1, call 2). The prices it gets are all representing the correct market prices. As this tweet also points out, Uniswap is not used as a price feed.
The slippage risk
However, when you open a position like this, it needs to convert these 1300 ETH multiplied by the leverage, to WBTC, which becomes your collateral.
The conversion is sent through Kyber. Kyber queries each reserve, but no reserve seems to have enough liquidity to fulfill that order alone, except for Uniswap. So the order is routed to Uniswap.
For such a huge volume, going through Uniswap skews the price a lot: bZx sends 5637 ETH, receives 51 WBTC. That’s 110 BTC/ETH where the normal price is closer to 36 BTC/ETH!
This is normally fine, as the position is overcollateralized by at least 20%, so you would need a slippage bigger than that to cause a problem. But here it was the case, so the slippage caused a loss that ate into the lending pool.
The bZx bug
However, this seems to be an intentional design: the code also makes sure that the caller account is fully collateralized after everything is finished. If it is not, the call should revert.
So if there is a huge loss caused by slippage, the caller would not have enough collateral and the call would revert. This makes sense, and other contracts like DyDx have a similar design (see above).
It is supposed to be enforced by this code that the position is still collateralized enough:
require ((
loanDataBytes.length == 0 && // Kyber only
sentAmounts[6] == sentAmounts[1]) || // newLoanAmount
!OracleInterface(oracle).shouldLiquidate(
loanOrder,
loanPosition
),
"unhealthy position"
);
But because of a logic bug, the first part of that condition is true and the shouldLiquidate() is never called (you can check in the trace). So when the call should have reverted, it didn’t.
Lev Livnev has a more detailed writeup of the call stack that leads to that bug.
Effect on bZx pool
After that transaction, bZx has:
So this transaction caused a loss of equity of around 620000$ in bZx.
This is an outside view. From the perspective of bZx, the attacker converted their 1300 ETH into 51 WBTC of collateral (bug), and also left 360 ETH as escrowed interest. You can refer to their official post-mortem to learn more about that and how it should affect the people who put loans in the pool.
from Hacker News https://ift.tt/3bK2zTh
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.