bZx is a lending protocol for DeFi (Decentralized Finance) and cryptocurrency that runs on the Ethereum blockchain. bZx also functions as a platform that hosts a variety of dApps, or decentralized applications. The protocol is governed by the BZRX token^[2].

In 2020, bZx suffered from three hacks. According to bZx’s report, the protocol was compromised for the first time on February 14, when the team was at the ETHDenver industry event. The second attack, according to industry news outlet The Block, took place four days later on February 18th. The third attack happened in September and bZx was able to recover all of the $8 million worth of cryptocurrency which was stolen during the hack.

Overview

bZx protocol is a collection of smart contracts that are built on the Ethereum blockchain with focus on lending and margin trading in cryptocurrency. The three main tokens of the bZx ecosystem include:

• iTokens
• pTokens
• BZRX Tokens

These three coins are ERC20 tokens.  iTokens accumulate interest, and can go up in value the longer they are held onto. Each iToken represents a share in a bigger pool as borrowers pay interest into the token. pTokens allow the purchaser to have a short or leveraged position, and BZRX Tokens function as governance tokens within the bZx platform.

BZRX Tokens

An audit of the smart contracts surrounding the BZRX was completed by the cybersecurity company, Certik. $BZRX tokens have a total supply of 1,030,000,000 tokens^[3].

BZRX is a governance token that gives holders the power to make changes to the protocol. The tokens have been allocated in the following way:

• 21.35% on a vesting schedule for strategic partners and backers
• 13.65% went to presale
• 20 went to the team
• 20% went to the bZx builder fund
• 5% went to the security and alignment fund
• 20% went to the ecosystem fund

Products and Ecosystem

Products

Fulcrum and Torque are built on the bZx protocol, with Fulcrum focusing on DeFi margin lending and trading, and the latter on indefinite term loans with fixed interest rates.

Ecosystem

bZx has many dApps in their ecosystem including:

• DeFi Saver
• Staked
• Dexwallet
• 1inch.exchange
• Betoken
• Eidoo
• Alpha Wallet
• Idle
• defiportfolio
• ParaSwap
• Totle
• DeFiZap

BZRX V3 Token Model Propositions

On June 29, 2020, bZx published an official blog post announcing proposed changes to their BZRX token.

Fee-Sharing Mechanism: The first concerned a fee-sharing mechanism using one of two Balancer pools and a “feeSweep()” function. This lets participants generate fees from assets locked in the Balancer pool, providing liquidity to pool users. In this way, every trade, loan and serviced debt generates fees for the protocol.

• Origination fee: 0.09%
• Trading fee: 0,15%
• Interest fee: 10% of interest paid

The proposal also included plans for a staking portal that allows users to stake and unstake their BZRX with a single click.

Protocol disbursement program: The other proposal suggested rewarding bZx users with tokens. According to the post, 20% of the total token supply has been allocated to rewarding users of the protocol, with the allocation further split into reimbursing protocol fees or issuing payouts based on the number of fees generated that week.

2020 Hacks

In 2020, bZx suffered from three hacks. According to bZx’s report, the protocol was compromised for the first time on February 14, when the team was at the ETHDenver industry event. The second attack, according to industry news outlet The Block, took place on February 18. The third attack happened in September and bZx was able to return about $8 million worth of cryptocurrency.

The First Hack

The attacker used multiple DeFi (Decentralized Finance) protocols to lend and swap significant quantities of Ether and Wrapped Bitcoin (WBTC) in a way that allowed them to manipulate the prices and profit off of decentralized leveraged trade. The attacker first took out a loan of 10,000 Ether (ETH) from decentralized lending protocol dYdX, then used 5,500 ETH ($1.46 million) to collateralize a 112 Wrapped Bitcoin (WBTC) loan (valued at over $1 million at the time) on DeFi protocol Compound. At this point, the attacker sent 1,300 ETH (valued at over $372,000) to decentralized margin trading ETH to open a 5x leveraged position on the ETH/BTC pair on bZx’s Fulcrum trading platform and borrowed 5,637 ETH through Kyber's Uniswap and swapped them for 51 WBTC, causing large slippage. This, in turn, allowed the attacker to profit from swapping the 112 WBTC from Compound to 6,671 ETH, resulting in a profit of 1,193 ETH (nearly $318,000). The hacker then paid back the 10,000 ETH loan on dYdX that they took out.

According to an in-depth analysis of the attack, the transaction with which the attacker opened the leveraged trade should have been prevented by safety checks, but those checks did not fire due to a bug in bZx’s smart contract. The team behind the protocol quickly patched the bug that allowed the hack to happen.

The Second Hack

The nature of the second attack is still largely unclear, but a message from the project’s CVO and operations lead Kyle Kistner in the official bZx Telegram group suggested that it was an oracle manipulation attack. Oracles are usually centralized components that provide external data to on-chain applications.

The Block estimates the loss to be 2,388 ETH (nearly $636,000). Kistner said that the team can neutralize the hack and prevent the loss of user funds like they did for the first hack. Furthermore, he promised that bZx developers will switch to oracles based on the ChainLink protocol, seemingly suggesting that it would make the system safer. In March, bZx developers integrated the protocol with ChianLink and worked with the ChainLink team on making the platform more secure^[5].

The Third Hack

bZx said in an incident report that $8 million worth of cryptocurrency had been stolen by an attacker who exploited a code bug to mint the protocol's interest-earning iToken, which was used to redeem, and walk away with, digital assets held in various lending pools. bZx’s official Twitter account announced on September 14 that funds had been restored. Paris Fotis, a spokesperson for the project, said bZx had been able to track down the attacker using his or her on-chain activity. The attacker returned the funds after being exposed, according to Fotis^[4].

Updates on Hacks

Funds Recovery

The ecosystem is currently working with law enforcement to obtain warrants from exchanges and other platforms that the hacker has interacted in order to obtain identifying information. All information gathered is being turned over to law enforcement to assist them in their investigation. The hacker has converted a large number of stolen assets into ETH and transmitted them through Tornado Cash. Best efforts are being made to continue tracking these assets as long as possible^[6].

Compensation Plans

bZx's community has been taking it upon itself to drive a sustainable compensation plan for its community members. Having formed forums, the ecosystem's current plan has been submitted for snapshot vote, after which, if approved it will proceed to on-chain DAO voting. The securing of the on-chain vote is to authorize the release of the treasury funds, which will be used to compensate users who lost funds in the attack. Conclusively, the protocol aim to issue repayement of debt token from 30% of protocol revenue and fees.^[7]

Team

bZx was conceived by Tom Bean and Kyle J Kistner in August of 2017. By February of 2018, they released a white paper, and in December of 2018 the team raised $7.8 million with an Initial Coin Offering (ICO) of BZRX tokens.

Members of the bZx team include:

Name	Title
Tom Bean	Founder/CEO
Kyle Kistner	CVO and Operations Lead
Nick Sawinyh	Head of Marketing
Chris Brennan	Lead Community Manager
Rodion Kharabet	Senior Full-Stack Developer
Diana Kovaliova	Frontend Developer
Genka Omyshev	Lead Designer
Casey Fallon	Senior Designer
Manish Singh	bZx Advisor, CIO at Crossbridge Capital
Alexander Khoriaty	bZx Advisor, Project Manager at district0x