Last week, an anonymous market manipulator instigated a arbitration attack against the decentralized financial loan protocol bZx, compensating the “bad actor or group” with an estimated value of $ 350,000 in ETH. In the days that followed, bZx suffered a separate Oracle-based attack. The suspect this time, whose attack method mirrors that of the previous attack, has raked in around $ 650,000 in ETH.
bZx is an Ethereum margin lending and trading protocol, on top of which Fulcrum is a front-end project that offers these bZx services at its core. The method used for the alleged heist was not an unauthorized intrusion into these and other projects, but rather a complex arbitrage-type opportunity. The trader followed the rules of said contract and loan system. They “apparently” exploited a logic bug in the smart contract intended to verify that all positions end up being safe. They took advantage of the low liquidity of the markets by using clear market manipulation tactics.
Both incidents involve a case of flash loans, a new type of decentralized finance (DeFi) primitive that allows users to conduct sophisticated sequences of financial activities within a single transaction. In simpler terms, these flash loans allow users to create a loan realized once it has been paid off, all in one transaction. This advantage makes flash loans a powerful tool and therefore is a tool that the crypto-economy now sees as a double-edged sword.
Flash loans are marketed as “risk free” because they take advantage of the ability of the Blockchain Ethereum to perform atomic transactions. This guarantee means that if the Flash loan fails because the executor does not return enough funds, the transaction is canceled. These flash loans allow traders to take out a teen-free contract in which they withdraw the desire for collateral in the loan. Arbitrators use flash loans to stay on the bargain side, which they code to perform calculated arbitrage trades: the simultaneous purchase and promotion of goods in many markets.
Investigations into the event suggest that an attacker or group of attackers used an Aave flash loan to borrow 10,000 ETH from the dYdX protocol. The little treasure was then used to launch the DeFi attack. The attacker placed half of those funds in the compound lending dApp, with which he borrowed 112 WBTC, a tokenized ERC20 version of Bitcoin. In a separate move, the suspect went to the bZx protocol and bypassed the WBTC on the margin. And to depreciate the price, the agent sold some borrowed WBTC on Uniswap, which brings down the price of the token, effectively satisfying the bZx short. The attacker therefore paid off the Aave loan and took advantage of around $ 350,000.
All of the events in the story occurred in a single transaction with no guarantee of origin required. It was both an ingenious and nefarious move, and it would perhaps lead to more speculation and uncertainty in the DeFi community in the future.
In the aftermath of the bZx attack, the DeFi industry reported a significant loss of locked assets, falling by around $ 140 million from a peak of $ 1.2 billion on February 18. Weeks before the assaults, DeFi boasted of a $ 1 billion lockdown milestone. actives. This deterioration was particularly noticeable in Locked Aether, with total losses of around 200,000 ETH, according to analytic.
The DeFi movement is still in its early stages as the market remains on the path to maturity. Still, the industry operates without enough sandboxing, an omission that could no doubt trigger more hiccups down the road. Developers can avoid these scenarios by performing a thorough smart contract audit process. In the aftermath, the bZx team took precautionary measures to defend against further assaults as DeFi stakeholders are now on high alert for further nefarious attempts against even larger projects.
New to Bitcoin? Discover CoinGeek Bitcoin for beginners section, the ultimate resource guide to learning more about Bitcoin – as originally envisioned by Satoshi Nakamoto – and blockchain.