- The bZx company behind the Ethereum-based Dapp, Synthetix, confirms that the most recent attack stole $600,000 USD from their plattform.
- After an investigation bZx determined that the second attack was completely different from the original. It was a modification of the Synthetix platform’s oracle.
The bZx company has had a rough week. After reporting a first attack on its Ethereum based trading and borrowing platform Fulcrum on February 14, the company confirmed that it suffered a second attack on Monday, February 17. The second attack targeted the Synthetix platform.
Contrary to speculation, bZx claimed that after an investigation they were able to determine that the second attack was a modified version of the original. In the second attack, the oracle of the Synthetix protocol was manipulated. In the first attack around 1193 ETH or $300,000 were stolen on Fulcrum, in the second attack almost $600,000. The company claimed on Twitter:
Fortunately, we are able to delay the realization of the loss again, and we believe the system can recover from this.
The first attack consisted of a manipulation of several protocols that resulted in an undercollateralized loan on the Fulcrum platform. bZx launched an update that in theory should prevent similar attacks. The second attack, on the other hand, did not affect the protocol of the Synthetix platform. The attacker manipulated the oracle to affect the platform’s token, the “sUSD”. bZx claimed:
The sUSD reserve on Kyber contained an APR and a Uniswap pool. We believe the attacker was able to manipulate both at the same time, keeping and bypass our check of both sides of the spread.
An upgrade will be necessary to allow the platform to remain operational with limitations. In addition, the company will fortify the security of its platforms. bZx will work with Chainlink and other oracle providers to strengthen and create a new oracle and reduce the possibility of future attacks:
We are meeting with Chainlink today and expediting the addition of the oracle to our model. After this is added, we will go online with extremely limited functionality: lending, unlending, and closing positions/loans. New positions and new loans will not be available.
Criticisms to bZx and latest update on the second attack
In addition to suffering the attacks, bZx has come under heavy criticism. In order to mitigate the effects of the attacks, the bZx team decided to use its administrator key and alter the conditions of the smart contract. This has questioned the decentralization of bZx platforms and caused suspicion among users. bZx issued the following warning:
We have pushed a change using our administrator key to remove the timelock on the contracts. We will be reinstalling it once we feel the platform is more battle tested. This will also help us unpause the system as soon as the oracle code has finished being audited.
Fulcrum and Synthetix investors have also expressed concern about the funds they still have on the platforms. bZx stated that users will have zero losses. In addition, it also warned its users that they might have inconsistencies in their balance on the platforms:
If your balance in the UI is showing less than you lent when you try to unlend, that just reflects the current liquidity conditions. Your ETH balance has not changed.
As a result of the attacks, the Totle decentralized exchange put on hold a cooperation they were going to launch with bZx. However, they announced that they will integrate bZx pTokens into their platform.
Half an hour ago, at the time of publication, bZx confirmed that the stolen funds are suspended. The company claimed that the attacker lost control of the funds because its system is under margin maintenance.
The attacker lost control of his collateral because the system recognizes it is under margin maintenance. Every loan under margin maintenance has the collateral liquidated. The attacker's collateral is no exception.
— bZx (@bzxHQ) February 19, 2020