- bZx company has paused its Ethereum-based protocol again due to another attack. Losses are estimated at 2,388 ETH.
- bZx released a full report on the malicious attack that resulted in the loss of $350,000 in ETH.
After reporting a malicious attack that resulted in the loss of $350,000 in ETH, bZx stopped its operations again. According to the Ethereum-based platform bZx, the protocol registered a new attack on February 17, 2020. The attack was made on another of their trading and lending platforms, Synthetix.
bZx is the company behind Fulcrum and Synthetix, the Dapp victim of the referred attack. The company created the decentralized bZx protocol that allows its native Dapps to trade and loan on margin and leverage.
According to bZx, the Synthetix system was not affected, but one of the platforms token “sUSD” was involved. The attacker seems to have used the same type of attack just like on Fulcrum. He took advantage of a vulnerability in several protocols to make a profit after receiving a collateral on Synthetix.
In this new attack the losses are estimated at 2,388 ETH, around $640,000. bZx co-founder Kyle Kitstner said the attacker again manipulated the oracle that provides the price feed for the Synthetix platform. An update was released on Fulcrum to prevent an attack using this method. In addition, the platform will implement Chainlink oracles to obtain a more robust price feed, less prone to manipulation.
Although the company claims it can fix the problem again, it has been asked to have all its operations shut down.
We have hit the pause button on the protocol again in light of suspicious transactions using flash loans and trading on Synthetix.
— bZx (@bzxHQ) February 18, 2020
Details of the post-mortem report: what was the impact of the attack?
On February 17, bZx published a post-mortem report on the Valentine’s Day attacker. The report gives detailed information on the events that resulted in the loss of 1,193 ETH, about $300,000. The attacker used the following steps to take advantage of the security flaw:
A flash loan from dYdX for 10,000 ETH was opened.
5,500 ETH was sent to Compound to collateralize a loan of 112 wBTC.
1,300 ETH was sent to the Fulcrum pToken sETHBTC5x, opening a 5x short position against the ETHBTC ratio.
5,637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap reserve, causing large slippage.
The attacker swapped the 112 wBTC borrowed from Compound to 6871 ETH on Uniswap, resulting in a profit.
The flash loan of 10,000 ETH from dYdX was paid back from the proceeds.
The manipulation made by the attacker caused the price of WBTC to fall briefly to $4,000 at Kyber. After a few hours, the price of the token tied to Bitcoin returned to the non-manipulated market price about $10,000. However, the maneuver allowed the attacker to make the aforementioned profits. For now, it seems that the attack on Synthetix followed the same modus operandi.
The attack, as bZx claims, has resulted in an uncollateralised loan on the platform. bZx claims that it is not yet a loss, but that it may become a loss:
This means that the debt can be serviced with the current collateral for the next 202 years. When the collateral runs out in the year 2222, there will be a 4698.02 ETH loss that will be socialized across the entire lending pool.
In fact, to prevent losses, bZx claims that it is necessary to use its administrator key and settle the wBTCs at ETH. The company claims that if it proceeds on this basis, by the due date the guarantee fund will have time to cover the losses.
It remains to be seen how the company will react to this new attack. For the time being, it appears that a further investigation into the decentralised bZx protocol could lead to the shutdown of all the company’s native Dapps.