Zest Protocol Lending Collateral Vulnerability
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Zest Protocol offers a decentralized lending protocol which is built entirely around the bitcoin blockchain using the Stacks layer 2 protocol. Shortly after launching, a vulnerability was exploited which allowed an attacker to borrow more assets than they had provided in collateral. The 324,000 STX were worth roughly $1m at the time. The team promised a $100k bounty for information leading to the attacker, and this lead to a Binance withdrawal. A full reimbursement for all users has been promised from the Zest Protocol treasury.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12]
About Zest Protocol
"The Bitcoin liquidity protocol" "Zest Protocol is an on-chain lending protocol, built for Bitcoin Put your BTC to work to earn more BTC, or borrow against your BTC. Zest Protocol's smart contracts operate on-chain and are open-source."
"When mainnet? Zest Protocol is in private beta. Request early access above"
"Zest Protocol exists to make Bitcoin productive. All of it. The protocol strives to create a vibrant borrowing and lending ecosystem around BTC the asset."
"To lend out or borrow against BTC, you have to trust a CeFi platform (or custodian in the case of wBTC) with handling your BTC funds. As a result, most Bitcoin sits idle in cold storage and isn’t used to grow the Bitcoin economy.
Any economy needs borrowing and lending to live, breathe, and grow - and so does the Bitcoin economy. Bitcoin holders need to be able to access liquidity safely without having to sell their BTC. Businesses need to be able to borrow BTC to scale up their activity in the Bitcoin economy."
"The solution is an on-chain BTC lending market that runs on smart contracts that are secured by the Bitcoin blockchain itself. Enter Zest Protocol.
Zest Protocol reduces counterparty risk by holding capital and issuing loans transparently on chain. Zest Protocol relies on smart contracts to handle pooled funds rather than opaque unaudited balance sheets. Anyone can check on the funds at any time, as well as the open source smart contract code that moves the funds around.
Zest Protocol features two types of pools:
Earn pools, where users earn a yield on their BTC
Borrow pools, where users borrow against their BTC"
"Zest Protocol runs on smart contracts that are secured by the Bitcoin blockchain. These are Clarity smart contracts on Stacks, a Bitcoin L2.
Clarity smart contracts on Stacks can interact with Bitcoin by reading Bitcoin-state directly from the Bitcoin blockchain without requiring an intermediary. Stacks is our secret sauce.
To hold BTC in escrow in Zest Protocol, we leverage the Stacks L2s unique architecture that enables non-custodial movement of BTC from Bitcoin L1 to the Stacks L2 as sBTC. All while Zest Protocol users only interact with native BTC on Bitcoin L1.
Deposit: When a user sends BTC to Zest Protocol through the Zest Protocol UI, the BTC gets wrapped to a tokenised version of BTC on the Stacks layer (sBTC). Subsequently, the sBTC programmatically ends up in the Zest pool contracts.
Withdraw: When a user withdraws BTC from Zest Protocol, Zest Protocol facilitates a programmatic unwrapping from sBTC to BTC. The withdrawing user receives native BTC directly into their Bitcoin wallet.
While sBTC sits in a Zest pool, the equivalent amount of BTC is held in a threshold-signature script on the Bitcoin blockchain controlled by Stacks consensus."
"Wrapped BTC yield products require the user to wrap BTC before participating in on-chain activity.
These wrapped BTC products charge basis point fees for (un)wrapping BTC. Wrapping BTC into wBTC or tBTC costs ~15bps (0.15%). A lending protocol operating with wrapped BTC thus requires users to pay (un)wrapping fees before/after interacting with the protocol. In many cases, this can make interactions with lending protocols uneconomical.
For example, if I want to lend out my idle BTC for 2 months at 5% APR I'm set to earn 0.83% over these two months. If I also have to wrap BTC before interacting with the protocol and unwrap it afterwards, I'm set to earn just ~0.5% (2x 0.15% (un)wrapping fee). That in combination with the fact that wrapped Bitcoin products can be volatile and sometimes de-peg would unlikely make this yield bearing activity worth it for me as a user."
"ZEST PROTOCOL IS OPEN TO THE PUBLIC! Introducing the first money market on @Stacks Our STX lending market is the first step in unlocking the power of sBTC - backed 1:1 to BTC - on Bitcoin's largest L2."
"For the first phase of Zest Protocol, users can deposit to unlock liquidity on their various Stacks assets. Bullish on STX? Borrow against it and never have to sell again.
With Zest Protocol, there's no easier way to maximize leverage on your Stacks portfolio!"
"When the Nakamoto Upgrade rolls out, native Bitcoin holders will be able to deposit their BTC directly into Zest Protocol in a single transaction.
You'll be able to earn trustless yield and borrow against your BTC, all while maintaining ownership of your assets."
“The team at Zest is mission-driven to make Bitcoin a truly viable global reserve asset in the next decade. This Stacks market launch helps them make the first step towards redefining Bitcoin lending.” - @muneeb, Co-Founder of Stacks.
"degens are borrowing so much STX on @ZestProtocol that rates are at 300%"
"The Bitcoin-native lending protocol, Zest Protocol twitted that it experienced an attack. The attacker lent out an amount exceeding the value of their collateral by artificially inflating its value. The attack has been mitigated, and all unauthorized access has been disabled. The attacker removed 324,000 STX from the protocol, and this loss will be compensated from the Zest Protocol's treasury, ensuring full reimbursement of user assets."
"Zest Protocol experienced an attack. The attack has been mitigated and user balances are safe.
Zest Protocol is frozen until further notice. User's positions will be unaffected until the protocol reopens."
"At open launch, the attacker artificially increased the value of their collateral to borrow an amount exceeding the value of their position.
The attack has been mitigated and all unauthorised access has been disabled."
"The attacker removed 324k STX from the protocol. This amount will be reimbursed from the Zest Protocol treasury and users will be whole.
The remaining funds remain protected in Zest Protocol smart contracts which the attacker no longer has access to."
"Anyone who leads us to the attacker and the funds, we will reward $100k."
"Zest Protocol is the first lending market written in the Clarity smart contract language. While unfortunate, this event is a necessary step to build a robust lending layer for the Bitcoin economy."
"Security is at the heart of Zest Protocol's design. That's why we underwent full smart contract audit and have been running two bug bounty programmes since launch, more than any other protocol on @Stacks. Pressure makes diamonds"
"Collateral List Manipulation: The attacker's primary action was to manipulate the collateral list by repeating entries. This duplication caused the smart contract to overcalculate the total collateral value. Excessive Borrowing: The exploit was executed in 5 borrow calls with a repeating asset list. In these calls the attacker was able to borrow an amount substantially greater than what should have been allowed."
"the walls are closing in on the attacker. A Binance withdrawal address has been uncovered that will reveal the identity of the attacker (see path below) and the full range of legal actions are currently being deployed."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| April 10th, 2024 7:38:37 AM MDT | Binance Withdrawal | Initial funds are withdrawn from Binance by the attacker. |
| April 11th, 2024 9:55:00 AM MDT | Public Launch Announced | The Zest Protocol is publicly launched with a celebration post. |
| April 11th, 2024 10:54:00 AM MDT | Really High Rates | There's so much borrowing happening in the protocol that the rates are at 300%. |
| April 11th, 2024 11:07:01 AM MDT | Malicious Borrow | A malicious borrow transaction for more collateral than should be allowed. |
| April 11th, 2024 3:20:00 PM MDT | Protocol Team Tweet | The Zest Protocol team tweets about the incident. |
| April 12th, 2024 6:26:00 AM MDT | Security Update Post | A security update post provides an update to the community that the attacker has been traced to a Binance address. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $1,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
The total amount recovered has been estimated at $1,000,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (May 1, 2024)
- ↑ @ZestProtocol Twitter (May 9, 2024)
- ↑ Zest Protocol | The Bitcoin lending Protocol (May 9, 2024)
- ↑ What is Zest Protocol? | Zest Protocol Docs (May 9, 2024)
- ↑ The problem | Zest Protocol Docs (May 9, 2024)
- ↑ The solution | Zest Protocol Docs (May 9, 2024)
- ↑ The technology under the hood | Zest Protocol Docs (May 9, 2024)
- ↑ Zest Protocol Stacks market public launch (May 9, 2024)
- ↑ @ZestProtocol Twitter (May 9, 2024)
- ↑ @ZestProtocol Twitter (May 9, 2024)
- ↑ STX Transaction - 0x8c761…95906 (May 9, 2024)
- ↑ STX Transaction - 0xc573c…3b3c6 (May 9, 2024)