bZx Changes Its Dev Framework After Hack; Integrates Chainlink Decentralized Oracles
bZx exchange releases changes to its platform in light of the recent double attacks on Valentine’s Day. In an announcement released on Tuesday, the co-founder and CEO of the exchange, Kyle Kistner, further apologized for the $2.5 million hack on 1inch.exchange caused by a bug on its Fulcrum platform.
In a bid to prevent future troubles on the platform, the bZx dev team is reworking its oracle design, development framework, and review processes for new code.
bZx exchange loses over $2.5 million in hacks
In a widely covered bZx exchange double hack on Feb. 14, a user exploited a bug on the system and made away with $365,000 USD in ETH leading to widespread panic. Less than 72 hours later the platform experienced yet another exploitation of over $645,000 USD in ETH too.
.@bzxHQ is back on mainnet, secured by Chainlink's Price Reference Data Contracts. bZx's critical functions now execute based on market-wide price discovery, thanks to decentralized oracle networks that aggregate data from all the top liquidity sources. https://t.co/N2hmSp2WAG
— Chainlink – Official Channel (@chainlink) March 10, 2020
While the first hack was an exploitation of the smart contract code, the second hack originated from a bug in the oracle system. In order to prevent this in the future, the exchange is adopting new oracle designs by integrating decentralized oracle, Chainlink to its system. [Not the first time bZx has partnered with Chainlink]
The company is currently planning on integrating Band and Uniswap v2.0 oracles to its platform in the future.
“Chainlink’s Price Reference Data Contracts are decentralized oracle networks made up of multiple independent, security reviewed, and Sybil resistant node operators.”
Furthermore, the exchange released a newly refactored code that will be implemented once economically audited to prevent such cases of exploitation.
“We will transition to an EIP-like system for cataloging new features and improvements to the protocol. This will make the process of how new code gets added completely visible to the public. Features should not be added as a surprise or at the last moment.”
He further added,
“We will never again publish unaudited code, no matter how few lines or trivial.”
bZx to pay for the losses
All the losses during the hack will be absorbed by the bZx exchange and protocol stakeholders. Currently, the company is working towards directing the profits towards the insurance fund to be able to repay the debt owed on the platform. The post reads,
“Given the current value of the insurance fund and its annualized rate of growth, it should be more than able to cover the loss at the time it needs to be realized in the year 2285 AD.”
Kristner apologizes for 1inch.exchange bounty reward
About three weeks before the two successive exploitations, 1inch.exchange came forward complaining that they found over $2.5 million from a vulnerability on the Fulcrum exchange. However, bZx never paid the devs their bounty fee or communicated the issue to the users.
Kristner came forward on his blog post to apologize for the time wasted in paying the bounty. He remarked,
“Rather than simply pay the full bug bounty immediately, with extreme gratitude for finding such a serious exploit, we tried negotiating. This was a serious mistake that we need to take responsibility for. Under no circumstances should this have happened, and we sincerely apologize.”