bZx attacked again, $645K in ETH estimated to be lost
February 18, 2020, 1:26AM EST · 2 min read
- Decentralized finance (DeFi) lending protocol bZx has just been exploited – again
- The estimated loss is 2,388 ether (ETH) this time, i.e. nearly $645,000
- Robert Leshner, founder of a competing DeFi lending protocol Compound, told The Block that the bZx team “should immediately cease operations until the platform can be thoroughly and completely audited”
Decentralized finance (DeFi) lending protocol bZx has just been exploited - again.
The estimated loss is 2,388 ether (ETH) this time, i.e., nearly $645,000. “This attack appears to be an oracle manipulation attack,” said bZx co-founder Kyle Kistner in the firm’s official Telegram channel.
Market observers are referring to this transaction as suspicious for the latest attack.
“We can neutralize this like we did last time,” said Kistner.
Just earlier today, bZx published a post-mortem of their initial attack, saying that 1,193 ETH, currently worth around $298,000, were lost.
In light of the latest suspicious transaction, bZx has again paused its protocol. The transaction is said to have occurred using flash loans and trading on Synthetix. "It does not impact the Synthetix system though it did involve sUSD," bZx tweeted today.
On Tuesday afternoon, the bZx team said that it was working with the development team behind Chainlink and "expediting the addition of the oracle to our model."
"After this is added, we will go online with extremely limited functionality: lending, unlending, and closing positions/loans. New positions and new loans will not be available," the bZx team wrote in its tweet.
Here's the apparent mechanism of the attack, as explained by Larry Cermak, The Block's director of research:
An attacker took out a flash loan of 7,500 ETH, bought 3,518 ETH worth of sUSD for close to $1 and subsequently deposited it to bZx as collateral. They then used 900 ETH to market buy sUSD on Kyber and Uniswap and therefore manipulate the price of sUSD to more than $2. This allowed the attacker to take out a larger loan than they were supposed to because the collateral appeared bigger than it was. With this collateral, the attacker then borrowed another 6,796 ETH on bZx and used it (as well as the remaining ETH balance) to repay the original flash loan. In the end, the attacker netted 2,388 ETH in profit (~$645,000) - the bZx ETH pool lost about $1.8 million while the sUSD pool gained $1.1 million.
Robert Leshner, founder of a competing DeFi lending protocol Compound, told The Block: “Security is the ultimate priority for a financial product. The bZx team has repeatedly demonstrated that it isn’t capable of protecting user funds, and should immediately cease operations until the platform can be thoroughly and completely audited.”
This story has been updated with new information.
© 2020 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.