bZx, a decentralized finance (DeFi) project, was hacked during its ETH Denver presentation on Saturday.
The unknown hacker was able to successfully exploit numerous DeFi protocols concurrently and steal $350,000 USD in Ethereum (ETH) from bZx. The quantity constitutes approximately two percent of its total assets.
By deploying various decentralized financial tools, and a tiny portion of price manipulation, the cryptocurrency hacker was able to successfully take home plenty of ETH.
The attack involved the Fulcrum protocol which was subsequently shut down by the company as a response to the security incident.
From absolutely nothing, $350,000 has been transferred into the pouch of a hacker in merely seven steps.
The hacker borrowed 10,000 ETH, worth approximately 2.51 million, in a flash loan.
Bear in mind that flash loans operate by achieving all of this in a single transaction:
The hacker subsequently split the borrowed funds, sending the first half (5,000 ETH) to DeFi protocol Compound and the second half to bZx.
Following the deposits, the hacker shorted Wrapped Bitcoin (WBTC) on bZx rapidly succeeded by borrowing 112 WBTC on Compound, approximately valued at $1.1 million, and selling the borrowed Wrapped Bitcoin on decentralized exchange UniSwap. The price dropped which led the attacker to cash out the short at a profit and reimbursed the initial loan. Hence, the attacker profits from the short and ultimately pays back that 10,000 ETH loan.
After the hacker dropped the $1.1 million worth of WBTC on UniSwap, his or her bzX short became highly profitable.
This whole process cost the hacker a mere $8.28 in transaction fees and it was feasible simply by virtue of this modern contrivance of flash loans.
Fundamentally, a flash loan revolves around being able to borrow an asset without putting down any collateral, hence for free, yet solely if you reimburse it in the same transaction.
Someone can code a smart contract that informs the Ethereum network that they will send the borrowed Ethereum to one exchange to purchase at a lower expense and sell at a higher price on another exchange.
As the exchanges are open source and the network knows all, they can find out if the individual’s statement is true or false, and consequently he or she may flash borrow.
Flash loans certainly can sound fascinating since it is a genuine loan without requiring credit, nevertheless a loan for a couple of seconds with the lender confident they’ll get reimbursed by virtue of the contract circumstances since the transaction just doesn’t occur, regresses, in the event that the loans are not reimbursed.
On Saturday, bZx stated that none of the users on its platform has lost any funds.
bZx stated that the attacker left $600,000 of WBTC on the exchange. Significantly, the platform is considering to take the funds and distribute to other users of the exchange.
Nevertheless, to accomplish this, it will have to employ its admin key.
Fundamentally, the admin key is hard-baked into the protocol and permits bZx to control each and every one of the smart contracts — where the money is retained — as a final resort.
The aim of the admin key is exactly for one of these situations, where a lot of funds are at risk. Nonetheless, users have to place their faith in the crew behind the exchange not to steal the funds of everyone.
Given that the whole objective of DeFi is to eliminate this trust, it appears to be somewhat of a significant flaw.
This security incident not merely underlines that the cryptocurrency hacker exposed how numerous DeFi tools may be deployed collectively to reap a large profit, but also illustrates how he or she has emphasized just how centralized a number of these DeFi tools truly are.