DeFi Project bZx Exploited for Second Time in a Week, Loses $630K in Ether

The attacker manipulated price feeds in order to create and profit from an under collateralized loan.

AccessTimeIconFeb 18, 2020 at 1:04 p.m. UTC
Updated Sep 13, 2021 at 12:18 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Bad actors have made off with $630,000-worth of the ether (ETH) cryptocurrency after exploiting a price feed of the ethereum-based lending project bZx.

The attack – the second in less than a week – began at just after 03:00 UTC Tuesday, when attackers apparently took out a flash loan of 7,500 ETH (approximately US$1.98 million), using 3,518 ETH (~$939,300) to purchase synthetic USD stablecoin sUSD from the issuer, which they then posted as collateral for a bZx loan, according to an analyst on Twitter.

They then used 900 ETH (~$240,000) to bid up the value of sUSD through an integrated price feed from liquidity provider Kyber Network until the dollar stablecoin spiked at $2. Using this inflated collateral, they took out another loan of 6,796 ETH (roughly $1.8 million) that was used to pay back the original 7,500 ETH loan, pocketing the remaining 2,378 ETH.

The total amount stolen is worth approximately $633,000, according to CoinDesk's Ether Price Index. In its entirety, the attack took just over a minute from beginning to end. The exploiters have left an open loan with half the required collateral now that sUSD has returned to its dollar pegging.

The total amount of ether locked in bZx lending contracts has nearly halved from 40,000 ETH (~$10.7 million) to 23,000 ETH (~$6.1 million) since the exploit took place, according to statistics site DeFi Pulse.

Source: DeFi Pulse
Source: DeFi Pulse

The official Twitter account for bZx confirmed at 04:38 UTC the project had suspended trading after it detected "suspicious transactions using flash loans and trading on Synthetix." A bZx spokesperson confirmed on the group's Telegram channel the company itself, rather than any of the platform's users, would cover the shortfall.

The attack comes days after bZx fell victim to a similar flash loan-based attack where more than $350,000-worth of cryptocurrencies were extracted from the platform. It's unclear whether the two attacks were carried out by the same person or group.

What are flash loans?

The vast majority of DeFi lending facilities rely on overcollateralized loans: Borrowers can usually only borrow around 75 percent of the value of their collateral. Although that incentivizes users to pay back loans, it also requires lenders to have very high liquidity – sometimes in a diverse range of assets – in order to quickly liquidate loans.

Flash loans are instruments that allow traders to liquidate the loans on the lender's behalf. It works by having the trader take a loan out from the lender – this time not posting any collateral – then paying back the borrower's debt and collecting the deposit. Using the deposit they can pay back the original loan and pocket the remaining funds.

Flash loans were already available on other DeFi projects such as the non-custodial lending platform Aave Protocol, which has offered them since the beginning of the year.

bZx only launched its own flash loan instruments on Monday. CEO Tom Bean defended the decision to introduce flash loans onto the platform. "By all accounts, the flash loan code on bZx was not what allowed this attack. It was just a tool used that functioned correctly and could have been swapped out for dydx and Aave flash loans," he wrote on the company's Telegram channel.

Kyle Kistner, bZx's chief visionary officer and operations lead, confirmed, also on Telegram, the flash loan hack was "completely tractable." He highlighted that bZx would accelerate plans to integrate Chainlink to diversify price feeds and prevent oracle manipulations from happening again.

A representative for bZx told CoinDesk the team was trying to resolve the exploit with its team of engineers. Bean and Kistner did not immediately return calls for comment.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Read more about