The cryptocurrency industry doesn’t seem to be able to catch a break from the cyber-attacks as recently the DeFi market just lost more than $900,000 to two consecutive hacks. A report from blockchain analysis platform Chainalysis states that 2019 saw more than a dozen attacks where the hackers managed to steal more than $283 million in cryptocurrency assets. The most recent victim of two such attacks is popular decentralized lending protocol bZx.
A cunning first day
As per the bZx report, the bZx team first noticed a suspicious transaction on February 14, while the team was at the ETHDenver industry event. The attacker exploited the system by first taking a loan of 10,000 Ether from lending protocol dYdX and used 5,500 ETH from there to use as collateral against a 112 wrapped Bitcoin (WBTC) loan (over $1 million) on DeFi protocol Compound.
He then used 1,300 ETH to open a 5x leveraged position on the ETH/BTC pair on bZx’s Fulcrum trading platform and borrowed 5,637 ETH through Kyber’s Uniswap and swapped them for 51 WBTC, causing large slippage. This allowed the hacker to profit from swapping the 112 WBTC from compound to 6671 ETH, resulting in a profit close to $318,000. The 10,000 Ether loan was then paid back.
Following the attack, bZx issued a statement announcing that the user funds weren’t affected by the attack. The team also introduced multiple patches to fix the bug. A part of the Statement reads:
“We have made the following upgrades using the administrator key to prevent this attack from occurring again. First, we addressed the condition that prevented the check from firing in the first place by requiring the check to take place even in the case of overcollateralized loans. Second, the ETHBTC margin tokens were delisted from the oracle token registry. Third, we implemented maximum trade sizes to limit the possible scope of any attack.”
History repeated itself
Despite all the fixes, the protocol was attacked yet again on February 18. Larry Cermak, director of research at The Block, explained that this time the attacker took out a flash loan of 7,500 ETH to buy sUSD at a price close to $1 and deposited the funds on bZx as collateral. Then, the individual used 900 ETH to market buy sUSD on Kyber and Uniswap pumping the price to over $2. Once sUSD went up, the trader borrowed nearly 6,800 ETH against sUSD on bZx to payback the flash loan. In the end, the anonymous attacker was able to profit approximately $636,000.
According to Kyle Kistner, the project’s CVO and operations lead, the attack was a result of oracle manipulation. He further added that the bZx developers would switch to the Chainlink protocol to avoid situations like these.
Crypto continues to be dangerous grounds
From scamming on Tinder to infecting computers using photos of celebrities, the cybercriminals continue to stay ahead of the curve. Earlier this month, Italian crypto exchange Altsbit was hacked for 6.929 Bitcoin (BTC) and 23 Ether (ETH) alongside other crypto assets. The hack forced the exchange to shut down as the remaining funds were used to refund the victims.
Similarly, an earlier report by The Daily Chain covered how Centralized exchanges are not the best of places to store crypto assets. Even the smallest of bugs or errors on the part of the exchanges often lead to unrecoverable damages. The non-reversibility of transactions, a basic property of most cryptocurrency, has turned out to be a feature that is well appreciated by the hackers who can easily get away with the funds.