bZx Exchange, a DeFi based product states it lost over $350,000 USD in ETH following a “malicious attack” or “successful arbitraging” as queries are raised on the overall safety of decentralized finance products. The profiteering party leveraged Compound Finance, wrapped BTC and bZx’s exchange, Fulcrum to successfully carry out the theft.
bZx loses over $350,000 USD in ETH
In a Telegram message on the official bZx channel, co-founder of bZx, Kyle Kistner, informed the community that a “portion of ETH was lost” after an “exploit executed against the smart contract.” Following the announcement, the development team paused all trading on the Fulcrum exchange and have since resumed trading, with the team expected to offer a post-mortem soon.
Funds are SAFU:
1/*All users have ZERO losses*. Last night there was a widely reported attack that took place against our protocol. From the perspective of the protocol, someone simply took out a loan. From the perspective of the lender, this loan is like any other.
— bZx (@bzxHQ) February 15, 2020
Well according to the community, the theft can be traced in one transaction on Etherscan.io. The inciting tx is a complex form of transactions that saw the hacker borrow a 10,000 ETH flash loan from dYdX protocol and split the funds into two. One half was sent to Compound Finance as collateral and the other half sent to bZx’s Fulcrum exchange.
Once the amounts were deposited, the hacker borrowed around 112 wrapped BTC (Bitcoin on Ethereum), wBTC, on Compound finance, worth about $1.1 million at the time and shorted wBTC on Fulcrum causing the price to effectively drop. Furthermore the hacker sold the borrowed wBTC on Kyber Uniswap to trigger his short position. Paid back the loan and made off with $350,000 USD in profits.
Total cost of transactions? Only $8.
The crazy part:
This all happened in a single transaction with a fee of $8.28 🤯 pic.twitter.com/2efjVu7Ivu
— Spencer Noon (@spencernoon) February 15, 2020
‘Steps to Maturity for DeFi’
While the lenders and users with funds on the platform remain protected from further hacks, there remains concerns on the overall security on DeFi platforms and the effect of having limited oracles. While bZx denied on a tweet that the hack was caused by relying on Uniswap as an oracle, Chainlink CEO, speaking during the ETHDenver conference discouraged the use of one oracle saying,
“You can’t rely on [only] one oracle connected with an exchange API.”
However, there remains optimistic bZx users who believe this is a learning step for DeFi products to reach maturity. Tim Oligive, CEO of Staked, a company that has ETH stored on bZX, said,
“DeFi is an experiment….I think this is the maturation process for DeFi. You have to get battle-hardened, and if somebody puts out a product that has vulnerabilities, someone else is going to exploit it and that’s part of the system getting stronger.”