Over the last four days, a cryptocurrency hacker managed to successfully make over $1 million (Ethereum) in profit by ingeniously exploiting a vulnerability in tokenized margin trading and lending protocol bZx.
In the first attack, the unknown hacker successfully got away with $350,000 USD in Ethereum (ETH) without being identified.
Now, reports circulating say that the crypto hacker has attacked bZx again, getting away with more than 2,378 ETH ($635,000).
Given everything, the total value locked (TLV) in DeFi decreased. After exceeding the USD 1 billion mark earlier in the month, on February 15 it achieved another record high, hitting USD 1.22 billion. It progressively dropped to USD 1.149 billion earlier today and subsequently, in a couple of hours, it crashed 12%, to USD 1 billion at 10:00 UTC.
Bear in mind that the second attack closely resembled the first attack and was carried out in a single transaction on February 18, 2020:
The entire attack simply took over a minute from the beginning to the end.
Similar to the first attack, the hacker took out another flash loan of 7,500 ETH (Approximately $2.097 million) in the second attack that they paid back at the end of the transaction. Notably, they also posted as collateral for a bZx loan.
Subsequently, the hacker converted 3,518 ETH ($994,925) to sUSD employing Synthetix’s depot.
Keep in mind that the sUSD is a synthetic asset supported by Synthetix’s own cryptocurrency, Synthetix Network Token (SNX).
Simply put, sUSD is the synthetic USD stablecoin authorized by the Synthetix Protocol, wherefore it is in addition the base currency.
Given that sUSD is considered a stable token, the official depot sold it at an estimated rate of 1 USD per coin.
Thirdly, the hacker arranged purchase orders using 900 ETH ($252,117) to bid up the financial worth of sUSD via an incorporated price feed from Ethereum-based protocol Kyber Network. Because Kyber establishes prices on the basis of supply and demand, the value of sUSD rose sharply to more than 2 USD per token in Kyber. No sensible individual would have purchased sUSD at such inflated rates, however ‘smart’ contracts aren’t considered to be very sensible.
Afterwards, the attacker deposited their 1,099,841 sUSD into bZX to borrow ETH. bZx reviewed the value of sUSD on Kyber and determined that it is worth lending 6,796 ETH. Note that 1,099,841 sUSD is worth merely ~4,080 ETH. As a result of the inflated rates in Kyber, the bZx smart contract was deceived. This single loan cost it 6796 – 4080 = 2,716 ETH loss.
The hacker paid back the initial 7,500 ETH loan and netted 2,378 ETH in profit (7500 – 3518 – 900 + 6796 – 7500).
Therefore, we can clearly perceive that the crypto hacker made 2,378 ETH and bZX suffered a profit loss of 2,716 ETH.
Moreover, another individual earned 338 ETH. This 338 ETH was acquired by individuals who fulfilled the attacker’s 900 ETH order for sUSD on Kyber. Perhaps the hacker filled his or her own orders. Thus, they could have made up to 2,716 ETH.
The attacker borrowed 7,500 ETH but merely utilized 4,418. The reason for this is Synthetix’s depot lacked a sufficient supply of sUSD. In the event that Synthetix’s depot possessed more, the ‘hacked quantity’ would have been even higher.
Much like the first attack, the cryptocurrency hacker’s funds were never in jeopardy. Suppose the attack had not succeeded in the end, the hacker could have simply reverted the transaction and lost merely the gas fee.
The total quantity of Ethereum locked in bZx lending contracts has almost been cut in half from 40,000 ETH (~10.7 million) to 23,000 ETH (~$6.1 million) after the attack occurred.
The attacker has left an open loan with half the necessary collateral now that sUSD has restored to its dollar pegging.
bZx should stop trusting the prices returned by Kyber instantly. A single price oracle represents a vulnerability in the smart contract that needs to be fixed as quickly as possible.
It is likely a good idea for bZx to cease all business activities and obtain a new security audit prior to resuming their activities again.