Defi
Lending Procotol Exploited for Over $1 Million Worth of Ether
Decentralized Finance (DeFi)
lending protocol bZx was exploited two times by attackers, who managed to
profit over $1 million worth of ether through their attacks. The first one saw the attacker take out
what’s known as a flash loan to profit from a short position.
Using the decentralized trading
platform dYdX the attacker borrowed 10,000 ETH and sent half to Compound and half
to bZx. Using the funds on Compound, it borrowed 112 wBTC tokens to, and using the funds on
bZx entered a short position for 112 wBTC.
The attacker then sent the 112
wBTC it borrowed from Compound to Uniswap to sell the tokens and lower their
price, making the short sale profitable. After repaying the 10,000 ETH loan,
the hacker still had 1,300 ETH worth of profit. It was all done in a single transaction, and since the
loan was repaid in the same transaction it was taken no collateral was
needed.
The second one saw the attacker take out a
flash loan of 7,500 ETH and send half to Synthetix to buy sUSD and deposit it
to bZx as collateral. They then used 900 ETH to market buy sUSD to manipulate
its price and bring it to over $2, allowing the attacker to take out a larger
loan. Using it, they repaid the original loan and made a profit of 2,388 ETH,
over $640,000.
Speaking to TheBlock Robert
Leshner, founder of Compound, said:
“Security is the ultimate priority for a
financial product. The bZx team has repeatedly demonstrated that it isn’t
capable of protecting user funds, and should immediately cease operations
until the platform can be thoroughly and completely audited.”
bZx has paused its protocol in
light of the attacks.