Decentralized Lending Protocol bZx Hacked Twice in a Matter of Days
Decentralized finance (DeFi) proponents are taking a hard hit after decentralized lending protocol bZx saw two successful hacks just days apart with losses totalling around $954,000.
According to bZx’s report, the protocol was compromised for the first time on Feb. 14, when the team was at the ETHDenver industry event. The second attack, according to industry news outlet The Block, took place on Feb. 18.
The first attack’s procedure
The attacker used multiple DeFi protocols to lend and swap significant quantities of Ether and wrapped Bitcoin (WBTC) — a token on the Ethereum blockchain that tracks the price of Bitcoin (BTC) — in a way that allowed him to manipulate the prices and profit off of a decentralized leveraged trade.
The attacker first took loaned 10,000 Ether (ETH) from decentralized lending protocol dYdX, then used 5,500 ETH ($1.46 million) to collateralize a 112 wrapped Bitcoin (WBTC) loan (over $1 million) on DeFi protocol Compound.
At this point, the attacker sent 1,300 ETH (over $372,000) to decentralized margin trading ETH to open a 5x leveraged position on the ETH/BTC pair on bZx’s Fulcrum trading platform and borrowed 5,637 ETH through Kyber’s Uniswap and swapped them for 51 WBTC, causing large slippage.
This, in turn, allowed the attacker to profit from swapping the 112 WBTC from Compound to 6,671 ETH, resulting in a profit of 1,193 ETH (nearly $318,000). The hacker finally paid back the 10,000 ETH loan on dYdX that he took before.
According to an in-depth analysis of the attack, the transaction with which the attacker opened the leveraged trade should have been prevented by safety checks, but those checks did not fire due to a bug in bZx’s smart contract. The team behind the protocol has announced that the bug has been patched.
The second attack
The nature of the second attack is still largely unclear, but a message from the project’s CVO and operations lead Kyle Kistner in the official bZx Telegram group suggests that it was an oracle manipulation attack. Oracles are usually centralized components that provide external data to on-chain applications.
The Block estimates the loss to be 2,388 ETH (nearly $636,000). Kistner said that the team can neutralize the hack and prevent the loss of user funds like they did for the first hack. Furthermore, he promised that bZx developers will switch to oracles based on the Chainlink protocol, seemingly suggesting that it would make the system safer.
Cointelegraph will update this article with further information once it is forthcoming.
The prevalence of crypto in hacks
The non-reversibility of transactions is a basic property of most cryptocurrency, or at least is strived for by most projects. While desirable for many reasons, this feature is also appreciated by cybercriminals who get to keep funds if they manage to steal them, while wire transfers could instead be reversed.
Hacker groups are also saying ahead of the curve by updating their methods. Cybersecurity firm TrendMicro recently discovered that hacking group Outlaw has been updating its toolkit for stealing enterprises’ data for nearly half a year.
Earlier this month, Cointelegraph reported that hackers compromised five United States law firms and demanded two 100 Bitcoin ransoms from each firm: one to restore access to data, and one to delete the hacker’s copy instead of selling it.