bZx Faces Loss of $645K in ETH in Another Major Attack
bZx, a decentralized protocol on Ethereum facilitating lending and trading operations with margin and leverage, has again become the victim of a strategized attack which has eventually ended up causing an estimated loss of 2,388 ether (ETH) amounting to nearly a sum of $645,000.
Kyle Kistner, a co-founder of bZx, stated during an interaction on the firm’s official Telegram channel that “This attack appears to be an oracle manipulation attack. We can neutralize this like we did last time,” added Kistner. The news has created unrest in the crypto community and the firm has been flooded with negative comments pouring from the industry leaders from around the world.
Robert Leshner, the founder of Compound, a renowned DeFi lending protocol and a strong competitor of the bZx solution, has remarked at the incident stating that
Security is the ultimate priority for a financial product. The bZx team has repeatedly demonstrated that it isn’t capable of protecting user funds, and should immediately cease operations until the platform can be thoroughly and completely audited.
A few hours back, bZx released an official blog detailing the intricacies involved in the previous attack organized on the network. The post-mortem report stated that during the attack, 1,193 ETH amounting to $298,000 has dwindled. Owing to the latest suspicious transaction, bZx has to shut-stop its protocol. The malicious transaction is reportedly carried upon via flash loans and trading on Synthetix. bZx in a tweet clarified that “It does not impact the Synthetix system though it did involve sUSD.”
The Pedagogy Followed By The Attacker
Larry Cermak, who works as the director of research at The Block, explained the attack mechanism by stating that:
The attacker took a flash loan of 7,500 ETH, purchased 3,518 ETH worth of sUSD for close to $1 and simultaneously deposited it to bZx as the collateral. Further, to manipulate the price of sUSD to more than $2, the attackers bought uUSD on Kyber and Uniswap using 900 ETH. This aided the attacker to draw out a bigger value of the loan as the collateral appeared to be bigger than it actually was. The manipulators then used the collateral to borrow another 6,796 ETH on bZx. They used the funds to repay the original flash loan. The entire process allowed the attacker to earn 2,388 ETH in profit while made bZx ETH pool lose $1.8 million. The sUSD pool gained $1.1 million.