QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$0 USD
JANUARY 2020
GLOBAL
BZX
DESCRIPTION OF EVENTS

"bZx (formerly known at b0x) was conceived in August 2017." "bZx was founded by Tom Bean, a self-starter with years of experience working with top-profile car companies using GPS technology." "The project first started publicly marketing themselves during ETHDenver in 2018. Since then, the protocol published their formal whitepaper in February of 2018, followed by a testnet release in April and a full mainnet launch in August of the same year." "The bZx team currently lists 8 team members and 3 advisors on their official website."
"bZx is a set of smart contracts built on top of Ethereum that allows people to lend and margin trade without having to rely on third parties." "Fulcrum is a powerful DeFi platform for tokenized lending and margin trading." "Fulcrum is a decentralized margin trading platform. There is no need for any verification, KYC or AML." "It is the first and only completely trustless platform for margin; it does not use centralized price feeds or centrally administered margin calls. It is permissionless and rent free; there are no fees and no accounts. Fulcrum is built on the bZx base protocol and extends the protocol by allowing both loans and margin positions to be tokenized." "Enjoy a frictionless trading experience with positions that automatically renew and zero rollover fees."
"bZx has been heavily focused on solidifying strong industry partnerships with key players including but not limited to MakerDAO, Kyber, ChainLink, Augur and Set Protocol." "The bZx base protocol [was] audited by leading blockchain security auditor ZK Labs."
"when Fulcrum team released their own Flash Loans feature on the Ethereum Mainnet, and we happened to find a very critical vulnerability in it. We discovered that $2.5M of user funds from 3 pools could be stolen within a single transaction."
"All started on January 11, 2020, when Fulcrum team released their own Flash Loans feature on the Ethereum Mainnet, and we happened to find a very critical vulnerability in it. We discovered that $2.5M of user funds from 3 pools could be stolen within a single transaction. We prepared our own smart contract to perform a white-hat hack to protect user funds. Since the vulnerable smart contract was published less than 48h before we discovered the issue, there was a very high chance malicious attackers could exploit it, and we wanted to assure that this wouldn’t happen."
"At the very last moment, we decided to make proof of concept and transferred only 1 weiDAI (0.000000000000000001 DAI) in two separate transactions to make sure it’s true and give a chance to the Fulcrum team to shut-down their system (we had no idea if they have such functionality and had not enough time to check). This potentially would allow their system to avoid inconsistent state and recover without significant damage. We decided to spend up to half of an hour trying to reach the team by every accessible communication channel, and if we failed to reach them we were standing by to white-hack the funds and immediately disclose it to the DeFi community."
"We provided a link to the proof-of-hack transactions (first and second) in the hope that they would immediately stop their smart contract. We offered to the Fulcrum team to white-hack their pools at any moment to protect user funds if they had no kill-switch, but they declined. Apparently they thought it it was worth risking user funds during the period of building and queueing a patch in order to avoid integration issues and negative attention."
"It took nearly 4 hours for the Fulcrum team to manage the issue, and we got no details from the team about the progress. Additionally, the deployment of the fix took another 12 HOURS, because of special system upgrade timelock in the smart contract."
"Since we contacted the Fulcrum team and they denied us to white-hack, we were legally unable to help their users and were forced to wait and monitor their contracts for suspicious transactions and Approval events for 16 hours."
"Finally, the fix was deployed on mainnet. But this story wasn’t over yet. We genuinely feel ashamed that after working through an anxiety-filled night with them, they basically tried to deny us any bounty reward. Please note that it’s usually industry practice to share a percentage of funds saved, while here they are trying to deny us anything based on a technicality."
"After all this, it still got worse. Instead of disclosing the incident to the community as promised, the strategy was now to cover-up. They tried to use the $3.5k to silence us and hide the whole thing. The right thing would have been to share it with their users and community so they can decide whether they want to continue entrusting their money to code that the Fulcrum team released."
"We strongly feel that we need to come forward with this information, and honestly wish we had done so earlier. Making mistakes is ok, but denying the truth to users and the commnunity and therefore depriving them of their ability to make infomed decisions, especially when it comes to money, is unacceptable."
The bZx Fulcrum smart contract hot wallet had a $2.5m vulnerability which was not exploited. After refusing to pay out a requested bounty, the team aimed to cover up the exploit. No funds were lost in this case.
HOW COULD THIS HAVE BEEN PREVENTED?
No funds were lost in this case. An independent industry insurance fund would be able to publish reports, cover losses, and/or pay bounties in the best interests of the industry as a whole.
Comprehensive List of DeFi Hacks & Exploits - CryptoSec (Jan 8)
https://blog.1inch.io/yes-we-hacked-bzx-fulcrum-but-one-month-ago-3f7e5c437ee3 (Jan 9)
Introducing Fulcrum Tokenized Margin Made Dead Simple (Jun 26)
Fulcrum Trade - bZx Decentralized Lending & Margin Trading (Jun 26)
What is bZx? A 3-minute guide to the defi trading platform - Decrypt (Jun 26)
bZx - A Protocol For Tokenized Margin Trading and Lending (Jun 24)
Crypto Margin Trading with Fulcrum | bZx (Jun 26)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 9)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 9)
