33.5% of Locked Funds Withdrawn From bZx After Losing $640k Of Ether in Second Attack
- bZx exploited again for 2,378 ether (ETH), worth about $640,000
- In the previous attack, the attack made a total profit of 1193 ETH, currently worth $298,250
- In the past 24 hours, 35.5% of funds locked have been withdrawn from the protocol
The decentralized finance (DeFi) lending project bZx has been exploited, yet again. This time, the estimated loss of 2,378 ether (ETH), worth about $640,000. “This attack appears to be an oracle manipulation attack,” said bZx co-founder Kyle Kistner in the company’s official Telegram channel. “We can neutralize this like we did last time,” added Kistner.
The latest attack came hot on the heels of the post-mortem of the initial attack published by bZx that resulted in the theft of 1,193 ETH, currently worth about $298,000.
Now, the firm has hit the pause button on the protocol yet again “in light of suspicious transactions using flash loans and trading on Synthetix,” tweeted bZx only to add that “It does not impact the Synthetix system though it did involve sUSD.”
This attack, bZx says is different from the first and the attacker was able to extract a net profit of around $600k while they were “able to delay the realization of the loss again.”
1/ WHAT WE KNOW SO FAR: There was a second attack. This attack was completely different from the first. This time it was an oracle manipulation attack, a modified version of the original exploit we worked closely with @samczsun to fix: https://t.co/lDcyDQf44i
— bZx (@bzxHQ) February 18, 2020
The attacker reportedly was able to manipulate both APR and a Uniswap pool, “keeping and bypass our check of both sides of the spread.” Now, bZx will be implementing a change that won’t allow the traders and borrower or mint but close positions.
Funds are SAFU
In its post-mortem of the previous attack, the company explained that it started with a flash loan of 10,000 ETH from dYdX. A new DeFi primitive, flash loans enable uncollateralized loans that can be used in a single transaction.
During the first attack, 5500 of ether was sent to another lending protocol Compound to collateralize a loan of 112 wBTC. 1300 ETH was sent to the Fulcrum pToken sETHBTC5x to open a 5x short position against the ETHBTC ratio, and 5637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap which caused large slippage.
The report states, the attacher swapped the 112 wBTC borrowed from Compound (worth $1.1 million) to 6871 ETH on Uniswap, resulting in a profit. The flash loan of 10,000 ETH from dYdX was then paid back from the proceeds.
“The total profit from this sequence of events was 1193 ETH, currently worth $298,250 @ $250/ETH,” reads the statement.
Kistner maintains, “No users have lost funds or will lose funds. Funds are SAFU.”
According to DeFi Pulse, bZx is the eighth-largest DeFi market from which 33.5% of funds locked have been withdrawn in the past 24 hours.