Ethereum based Fulcrum platform loses 350K USD in ETH

  • Ethereum-based lending platform Fulcrum has lost 350K USD in ETH due to a flaw in a smart contract that was exploited.
  • The platform has been shut down for “maintenance” and an investigation is underway to determine details.

The Ethereum based lending platform Fulcrum has fallen victim to a malicious attack. The attack occurred between February 14 and 15 when the attackers took advantage of a vulnerability in the platform’s lending protocol.

The attack occurred in several stages. First, the attacker took a 10,000 ETH flash loan. Then, he used half of the ETH to obtain another loan in wrapped Bitcoin (wBTC) through the Compound protocol. The other half of the ETH went to Fulcrum as collateral in a wBTC bet. The attacker bet that the price of the wBTCs was going to short. The attacker then dumped the wBTCs on Uniswap and caused the price to fall to collect the profits from the short on Fulcrum and pay off the initial flash loan.

The Fulcrum platform was shut down while investigations are underway. Fulcrum is a UX-focused dapp for lending and trading launched in June 2019. The dapp uses the decentralized bZx protocol that allows its native dapps to trade and lend on margin and leverage.

bZx offers details post-mortem

The attack on Fulcrum was complicated by several reasons. The company behind the platform, bZx, was in a hackathon with the Ethereum community. Therefore, bZx’s responsiveness was delayed.

bZx co-founder Kyle Kistner offered a statement on February 15. Kistner claimed that there was a breach against the contract and a portion of ETH was lost in the process. The loan contract was paused for all operations. Kitstner claimed that no further funds were compromised, but did not offer a specific figure on the amount that was lost. It is estimated that the attacker could have made a profit of 350K USD in ETH.

The company behind bZx said that due to the complexity of the transaction it takes time to understand exactly what the losses are. Furthermore, it claimed that the attacks were not just a swap in Uniswap and that bZx does not use Uniswap as an oracle. bZx claimed:

We have deployed a contract upgrade that we believe will make our system more robust against these type of actions in the future. The upgrade is currently being processed through our timelock. It will pass through in the next 12 hours. At that time we hope to restart the UI.

Follow us for the latest crypto news!

The company reiterated that users have zero losses. bZx also revealed that the attacker left 600K of wBTC as collateral:

We will be using this to stream interest and exit liquidity to existing iETH holders. This will be done using our admin key. This is an extremely difficult decision for us that we don’t take lightly.

It is estimated that Fulcrum will be back online at 10:30pm MTS. They will then publish a more detailed report on the attack and its complexity. However, the company was criticized by many Fulcrum users. Some demanded more transparency about the facts and others criticized the use of the administration key. This mechanism gives bZx full control over the contract at Fulcrum.

The full report is still awaited for further details. In the crypto-community, the attack has been used to exemplify the vulnerabilities of the DeFi sector. MyCrypto founder Taylor Monahan stated:

Just because your code works doesn’t mean it’s safe.

Follow us on Facebook and Twitter and don’t miss any hot news anymore! Do you like our price indices?

About Author

Reynaldo Marquez has closely followed the growth of Bitcoin and blockchain technology since 2016. He has since worked as a columnist on crypto coins covering advances, falls and rises in the market, bifurcations and developments. He believes that crypto coins and blockchain technology will have a great positive impact on people's lives.

Comments are closed.