Decentralized Lending Protocol bZx Hacked Twice in a Matter of Days

Published at: Feb. 18, 2020

Decentralized finance (DeFi) proponents are taking a hard hit after decentralized lending protocol bZx saw two successful hacks just days apart with losses totalling around $954,000.

According to bZx’s report, the protocol was compromised for the first time on Feb. 14, when the team was at the ETHDenver industry event. The second attack, according to industry news outlet The Block, took place on Feb. 18.

The first attack’s procedure

The attacker used multiple DeFi protocols to lend and swap significant quantities of Ether and wrapped Bitcoin (WBTC) — a token on the Ethereum blockchain that tracks the price of Bitcoin (BTC) — in a way that allowed him to manipulate the prices and profit off of a decentralized leveraged trade. 

The attacker first took loaned 10,000 Ether (ETH) from decentralized lending protocol dYdX, then used 5,500 ETH ($1.46 million) to collateralize a 112 wrapped Bitcoin (WBTC) loan (over $1 million) on DeFi protocol Compound.

At this point, the attacker sent 1,300 ETH (over $372,000) to decentralized margin trading ETH to open a 5x leveraged position on the ETH/BTC pair on bZx’s Fulcrum trading platform and borrowed 5,637 ETH through Kyber’s Uniswap and swapped them for 51 WBTC, causing large slippage.

This, in turn, allowed the attacker to profit from swapping the 112 WBTC from Compound to 6,671 ETH, resulting in a profit of 1,193 ETH (nearly $318,000). The hacker finally paid back the 10,000 ETH loan on dYdX that he took before.

According to an in-depth analysis of the attack, the transaction with which the attacker opened the leveraged trade should have been prevented by safety checks, but those checks did not fire due to a bug in bZx’s smart contract. The team behind the protocol has announced that the bug has been patched.

The second attack

The nature of the second attack is still largely unclear, but a message from the project’s CVO and operations lead Kyle Kistner in the official bZx Telegram group suggests that it was an oracle manipulation attack. Oracles are usually centralized components that provide external data to on-chain applications.

The Block estimates the loss to be 2,388 ETH (nearly $636,000). Kistner said that the team can neutralize the hack and prevent the loss of user funds like they did for the first hack. Furthermore, he promised that bZx developers will switch to oracles based on the Chainlink protocol, seemingly suggesting that it would make the system safer.

Cointelegraph will update this article with further information once it is forthcoming. 

The prevalence of crypto in hacks

The non-reversibility of transactions is a basic property of most cryptocurrency, or at least is strived for by most projects. While desirable for many reasons, this feature is also appreciated by cybercriminals who get to keep funds if they manage to steal them, while wire transfers could instead be reversed.

Hacker groups are also saying ahead of the curve by updating their methods. Cybersecurity firm TrendMicro recently discovered that hacking group Outlaw has been updating its toolkit for stealing enterprises’ data for nearly half a year.

Earlier this month, Cointelegraph reported that hackers compromised five United States law firms and demanded two 100 Bitcoin ransoms from each firm: one to restore access to data, and one to delete the hacker’s copy instead of selling it.

Tags
Related Posts
Altcoin Roundup: Stablecoin pools could be the next frontier for DeFi
In times like these, when the entire cryptocurrency market is down and there is nary a sector-wide runup to be found, traders have to dig into data to see how the market dynamics may have changed to pinpoint signs of new growth. Stablecoins are the newest trend to emerge in the decentralized finance (DeFi) arena due to the resiliency they bring to the sector, especially since protocols that are more reliant on the dollar-pegged assets continue to offer token holders low-risk yield opportunities in turbulent market conditions. Possible evidence of stablecoins rising influence can be found in the difference between …
Markets / June 25, 2021
Cryptocurrency Lending Firm Dharma Launches Its Service to the Public
San Francisco-based cryptocurrency lending firm Dharma Labs announced that it has launched its service to the public in a Medium post published on April 8. As Cointelegraph reported in February, Dharma Labs has previously raised $7 million from big name investors, including Coinbase Ventures. Per the launch announcement, users can interact with the service with any wallet, and only Ethereum (ETH) and the decentralized stablecoin (DAI) are supported for the time being. The service is also reportedly non-custodial, and the users remain in control of the private keys granting access to the assets. The post explains that this has an …
Ethereum / April 9, 2019
Cryptocurrency Loans Company Genesis Processes $550 Million in First Six Months
Institutional cryptocurrency over-the-counter (OTC) broker Genesis Global Trading revealed its loans spin-off processed over half a billion dollars in its first six months in a new report Thursday, Oct. 18. Genesis, which began its digital asset lending activities in March, revealed its current order book consists of $130 million in outstanding loans, a figure which has “steadily grown” since inception, it says. Total cash flow reached $553 million for all supported assets. “Over the past year, through client feedback and the rise of derivative marketplaces, we saw a meaningful increase in the number of market participants wanting to borrow and/or …
Bitcoin / Oct. 18, 2018
Aave v3 launch triggers 50% rally from long-term descending channel pattern
The decentralized finance (DeFi) market has been undergoing a period of maturation over the past year and many of last year's fast risers have faded into obscurity but this does not mean the formerly "famous" protocols have not continued to build. One blue-chip project that is regaining momentum is Aave (AAVE), a non-custodial liquidity protocol that allows users to lend, borrow or stake their assets to earn yield from their holdings. Data from Cointelegraph Markets Pro and TradingView shows that the price of AAVE has rallied 110% from a low of $114 on March 15 to a daily high at …
Markets / March 30, 2022
Here are 3 ways hodlers can profit during bull and bear markets
For years, cryptocurrency advocates have touted the world-changing capability of digital currency and blockchain technology. Yet with the passing of each market cycle, new projects come and go, and the promised utility of these “real-world use case” projects fails to satisfy. While a majority of tokens promise to solve real-world problems, only a few achieve this, and the others are mere speculative investments. Here’s a look at the three things cryptocurrency investors can actually “do” with their coins. Lending Perhaps the simplest use case offered to cryptocurrency holders is also one of the oldest monetary applications in finance: lending. Ever …
Bitcoin / April 29, 2022