Decentralized finance (DeFI) protocol bZx has suffered a second attack, with a hacker this time making over $630,000 worth of ether thanks to a flash loan that manipulated the price of sUSD.
The attack seemingly saw a hacker take out a flash loan for 7,500 ETH and use half of it to buy the sUSD stablecoin close to the $1 mark. The funds were then subsequently used on bZx as collateral, and part of the initial loan was used to buy more sUSD on the Kyber and Uniswap exchanges to drive its price to over $2.
This way the attacker managed to take out a larger loan and borrow nearly 6,800 ETH on bZx. The funds were used to repay the original flash loan. His total profit of 2,378 ETH, at press time worth over $630,000.
On bZx’s Telegram channel one of its co-founders, Kyle Kistner, noted the attack appeared “to be an oracle manipulation attack” before details of what happened were revealed. This is the second attack the DeFi lending platform suffers in four days, with the first one seeing hackers take over 1,190 ETH from it.
The first attack saw hackers take out a 10,000 ETH loan on dYdX to send half to Compound and half to bZx. On Compound, the user borrowed 112 wrapped bitcoin tokens (wBTC) using the ETH, and then entered a short position for 112 wBTC on bZx. Using the funds from Compound, the user lowered the tokens’ price via Uniswap.
Both exploits took advantage of so-called flash loans, which are loans both issued and paid in a single transaction. The first is believed to have compromised roughly 2% of the total assets under management of bZx’s Fulcrum platform, used to margin trade and take out loans.
Following the first attack, bZx stated using Chainlink’s solution to red-flag suspicious transactions. Its protocol was paused after both attacks.