33.5% of Locked Funds Withdrawn From bZx After Losing $640k Of Ether in Second Attack


  • bZx exploited again for 2,378 ether (ETH), worth about $640,000
  • In the previous attack, the attack made a total profit of 1193 ETH, currently worth $298,250
  • In the past 24 hours, 35.5% of funds locked have been withdrawn from the protocol

The decentralized finance (DeFi) lending project bZx has been exploited, yet again. This time, the estimated loss of 2,378 ether (ETH), worth about $640,000. “This attack appears to be an oracle manipulation attack,” said bZx co-founder Kyle Kistner in the company’s official Telegram channel. “We can neutralize this like we did last time,” added Kistner.

The latest attack came hot on the heels of the post-mortem of the initial attack published by bZx that resulted in the theft of 1,193 ETH, currently worth about $298,000.

Now, the firm has hit the pause button on the protocol yet again “in light of suspicious transactions using flash loans and trading on Synthetix,” tweeted bZx only to add that “It does not impact the Synthetix system though it did involve sUSD.”

This attack, bZx says is different from the first and the attacker was able to extract a net profit of around $600k while they were “able to delay the realization of the loss again.”

The attacker reportedly was able to manipulate both APR and a Uniswap pool, “keeping and bypass our check of both sides of the spread.” Now, bZx will be implementing a change that won’t allow the traders and borrower or mint but close positions.

Funds are SAFU

In its post-mortem of the previous attack, the company explained that it started with a flash loan of 10,000 ETH from dYdX. A new DeFi primitive, flash loans enable uncollateralized loans that can be used in a single transaction.

During the first attack, 5500 of ether was sent to another lending protocol Compound to collateralize a loan of 112 wBTC. 1300 ETH was sent to the Fulcrum pToken sETHBTC5x to open a 5x short position against the ETHBTC ratio, and 5637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap which caused large slippage.

The report states, the attacher swapped the 112 wBTC borrowed from Compound (worth $1.1 million) to 6871 ETH on Uniswap, resulting in a profit. The flash loan of 10,000 ETH from dYdX was then paid back from the proceeds.

“The total profit from this sequence of events was 1193 ETH, currently worth $298,250 @ $250/ETH,” reads the statement.

Kistner maintains, “No users have lost funds or will lose funds. Funds are SAFU.”

Source: @DefiPulse

According to DeFi Pulse, bZx is the eighth-largest DeFi market from which 33.5% of funds locked have been withdrawn in the past 24 hours.

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide