Search ForexCrunch
  • The overall loss incurred by both the attacks totaled around $954,000.
  • The first hack was due to bug exploitation in the bZx smart contract, while an oracle manipulation attack caused the second hack.

DeFi lending protocol bZx has been successfully hacked twice in just four days, incurring a total loss of about $954,000. According to bZx’s report, the first attack took place on February 14, when the team was attending the ETHDenver industry event. The protocol was compromised for the second time on February 18, as per The Block’s report.

During the first attack, the hacker used several DeFi protocols to lend and swap vast quantities of Ether and wrapped Bitcoin (WBTC) in a manner that allowed them to manipulate the prices and profit of the eventual leveraged trade. The attacker first loaned 10,000 Ether (ETH) from dYdX, a lending protocol, and later used 5,500 ETH ($1.46 million) to obtain a 112 WBTC loan (>$1 million) on Compound, another DeFi protocol. Following this, they used bZx’s Fulcrum trading platform to open a 5x leveraged position on the ETH/BTC pair with a 1,300 ETH investment. After that, they used Kyber’s Uniswap to borrow 5,637 ETH and swap them for 51 WBTC. Ultimately, by swapping the 112 WBTC from Compound to 6,671 ETH, the attacker was able to pocket a profit of 1,193 ETH (nearly $318,000). They then paid back the erstwhile borrowed 10,000 ETH to dYdX. The attacker was able to execute this elaborate attack by exploiting a bug in bZx’s smart contract. This bug has since been fixed.

Currently, the details about the second hack are still unclear. A message from Kyle Kistner, the project’s CVO, says that it was an oracle manipulation attack. Oracles are centralized components that provide on-chain applications with external data.

According to the estimates by The Block, the loss suffered totals 2,388 ETH (nearly $636,000). Kistner notes that the team can neutralize the hack and prevent the loss of user funds like they did for the first hack. He also said that the devs will now use ChainLink’s protocol to make the system safer.