The space of Decentralized Finance (DeFi) took a serious hit in the past week as decentralized lending protocol went through two subsequent attacks. The compromised funds amount to a little less than $1 million.
The First Attack On bZx – February 14th
The first attack happened on block 9484588, timestamped February 15th, according to the official report from bZx. Per the document, the attack was launched on Valentine’s day on February 14th during ETHDenver. At that time, bZx’s team has been out attending the event.
The attacker took advantage of a few DeFi protocols to lend and swap a substantial amount of ETH and wrapped Bitcoin (wBTC). The latter represents a token launched on Ethereum’s network, tracking the price of Bitcoin. This allowed the perpetrator to manipulate the prices and to profit off of decentralized leveraged trade.
First, the attacker borrowed 10,000 ETH from dYdX – a decentralized lending protocol. He then used 5,500 ETH to collateralize a loan for 112 wBTC on Compound – another lending protocol. After that, he spent 1,300 ETH to open a 5x leveraged ETH/BTC short position on the Fulcrum trading platform of bZx, while also borrowing 5,637 ETH through Kyber’s. This amount he swapped for 51 wBTC, causing a serious slippage.
This allowed the perpetrator to profit from swapping the 112 wBTC from Compound to 6,671 ETH and generate an income of 1,193 ETH. That’s roughly around $318,000. At the end of it all, the attacker paid back the 10,00 ETH loan on the dYdX protocol that he had taken before.
The Second Attack – February 18th, Details Pending
The bZx team has also officially confirmed the second attack.
1/ WHAT WE KNOW SO FAR: There was a second attack. This attack was completely different from the first. This time it was an oracle manipulation attack, a modified version of the original exploit we worked closely with @samczsun to fix: http://t.co/lDcyDQf44i
— bZx (@bzxHQ) February 18, 2020
Per the official disclosure, the attacker managed to extract a net profit from the system of around $600,000, bringing the losses up to more than $900,000 worth of ETH. However, the mechanism of the second attack was completely different than the first one.
The issue at hand had a lot to do with oracle manipulation. Oracles typically represent centralized components that provide external information to on-chain apps.
In light of the above, the bZx team has also stated that they are working closely with Chainlink, as well as with other oracle providers to “create a more robust oracle and reduce the surface area of attacks against our protocol.”
Purportedly, the team managed to delay the realization of the profits from the second attack and stated that they “believe the system can recover from this.”
More Security Audits And Research Is Vital, Says The CEO of Aave
Explaining the attack in simpler words, Aave CEO Stani Kulechov, said that a “flash loan was used to get capital without owning it. The attack was possible without a flash loan as well if the person would have such a big amount of cryptocurrency in possession.”
“Flash Loans are testing the waters of DeFi. Every DeFi protocol needs to mitigate the risks that flash loans can create. They are not bad as they can be used to create innovative products such as collateral swaps that we’re building on top of Aave Flash Loans.”
Aave is an open-source DeFi Protocol, operating the popular decentralized lending platform ETHlend. Kulechov was listed as one of the advisors for bZx, however, he claims that he was not involved.
Asking him if other DeFi platforms such as Ethlend are also at risk now, Kulechov stated that “More security audits and research is vital. Risk should be properly assessed before deploying new protocols.”