bZx exploit: Former Google engineer explains how an attacker made $350K in single transaction

Quick Take

  • Former Google engineer Korantin Auguste has explained how bZx lost funds in a recent attack 
  • Auguste estimates that the attacker profited $350,000  
  • Notably, Auguste said that it was not an Oracle bug

Korantin Auguste, a former Google software engineer, has explained in detail a recent attack on decentralized finance (DeFi) project bZx.

In a blog post published Monday on his personal website Palkeo, Auguste said an attacker borrowed 10,000 ETH (currently worth about $2.49 million) from dYdX, a non-custodial exchange for margin trading.

The attacker then sent 5,000 ETHs to DeFi lending protocol Compound and borrowed 112 wrapped bitcoins (WBTC), an ethereum-based token backed 1:1 by bitcoin, to pull off the attack.

Next, the attacker sent 1300 ETHs to bZx to open a 5x short position for WBTC. "This call opens a Fulcrum position, shorting ETH against WBTC with a x5 leverage. This position is on 1300 ETH (huge)," said Auguste.

bZx then internally converted 5637 ETH to 51 WBTC through a Kyber order routed to Uniswap. The attacker converted the 112 WBTC to 6871 ETH on Uniswap. Then they sent back the 10,000 ETH to DyDx.

“The attacker exploited a bug in bZx that caused it to trade a huge amount on Uniswap, at a 3x inflated price,” said Auguste, adding that the attacker was able to sell 112 WBTC for 6871 ETH because “the Uniswap supply is all distorted.”

The attacker ended up with 71 ETH, but that is not their “pure arbitrage profit,” said Auguste. “They ended up the transaction with a Compound position having 5500 ETH of collateral and only 112 wBTC borrowed. This is around 350k$ worth of equity in Compound.”

Put simply, a “logic bug” in bzX’s coding caused a loss of equity of around $620,000 for the protocol and around $350,000 worth of profit for the attacker, said Auguste. “It’s the mere fact of opening their huge position that caused a leak of funds from bZx to Uniswap, that they exploited."

Notably, Auguste said that it was not an Oracle bug, but rather a vulnerability. 

He also said that the equity loss from bZx and the money the attacker made don’t add up because "the attacker possibly didn’t maximize their profit, and they left Uniswap completely unbalanced after their attack. A lot of bots then rushed to make a profit out of it."

bZx tweeted yesterday that users will occur no losses as it will compensate them. The project is expected to release a detailed analysis at 5pm MST (i.e. 7pm EST) today. The Block will post a story accordingly.

(Please note that Auguste's blog post has been unpublished for now. Auguste told The Block that he will put it back online after bZx publishes their analysis).

© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Trending Stories

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.

Will Sanctions Drive Russia into the Arms of Cryptocurrencies?

From the removal of many Russian banks from SWIFT to a seemingly constant flow of new sanctions, Russia’s invasion of Ukraine has left many to wonder: Is the country likely to lurch towards cryptocurrencies? And if so, what does this mean for businesses that are holding and/or using crypto? Crypto and sanctions evasion Although crypto […]
Read Full Story
Sponsored Post

Layer-2 Scaling Solutions: A Framework for Comparison - Commissioned by Polygon

Ethereum had a breakout year in 2021. It’s native asset, ETH’s, market capitalization surpassed $500 billion for the first time. Its network facilitated upwards of $7 trillion value transfer. Non-fungible tokens (NFTs) emerged as another “killer application” that have put its technology on the global stage and caught the attention of the masses.
Read Full Story
May 5, 2022, 3:17PM UTC