bZx, a DeFi lending protocol, was hit with a series of exploits. The attacks resulted in the loss of 3,581 ETH worth nearly $1 million.
A series of unfortunate events
On Feb. 14, the bZx team was alerted about a suspicious transaction that allowed the perpetrator to net a whopping $300,000 in profits.
Julien Bouteloup, founder of DeFi investment firm Stake Capital, explained that a smart trader under the pseudonym dYdX took a 10,000 ETH flash loan to borrow 112 wrapped BTC (wBTC) from Compound. Witht the rest of the loan he was able to open a 5x short position against the “ETHBTC ratio” on Fulcrum.
Then, the individual went into Uniswap to swap 51 wBTC. These series of events caused a “large slippage” allowing the trader to exit his short position at profit and pay back the initial loan with the proceeds.
Following the exploit, bZx issued a statement claiming that users funds were not affected. The team also vowed to implement multiple upgrades to ensure that this type of incidents do not happen again.
“We have made the following upgrades using the administrator key to prevent this attack from occurring again. First, we addressed the condition that prevented the check from firing in the first place by requiring the check to take place even in the case of overcollateralized loans. Second, the ETHBTC margin tokens were delisted from the oracle token registry. Third, we implemented maximum trade sizes to limit the possible scope of any attack.”
The different upgrades were targeting multiple vulnerabilities on the DeFi lending protocol.