News on February 15th, bZx, an open financial (DeFi) lending protocol, was attacked, causing some ETH to have been lost.
According to bZx co-founder Kyle Kistner, although the amount of ETH currently lost is unknown, the loss does exist.
Kistner revealed some details in the bZx official telegram group, saying that a contract loophole was exploited by the attacker. The company has currently suspended the contract, while the loan contract and cancellation contract are still running.
As for the details of the vulnerability, bZx is still consulting with security researchers to understand the problem, Kistner added:
"We will publish a deeper profiling report, and the remaining funds are safe."
Due to the impact of the vulnerability, bZx has suspended its Fulcrum trading platform and is currently under maintenance.
According to DeFi Pulse data, users have taken 3300 ETH (about $ 932,000) from the bZx protocol in the past 24 hours.
Following the incident, DeFi observer Chris Blec commented:
"Early unproven theory holds that this is not a smart contract hack, but that someone has used oracle (possibly using fast loans) for some kind of radical market manipulation.
Another observer, Paranoid Individual, agrees, saying:
"After a quick investigation, my opinion is that someone attacked bZx through an oracle vulnerability. The news is good or bad, depending on where you are right now."
Analyst Alex gave his specific judgment:
"Recall what the attackers did:
- The attacker borrowed 10,000 ETH from dydx using a fast loan;
- He put 50% of it in compound and the remaining 50% in bZx (fulcrum uses bZx protocol);
- He borrowed 112 WBTC (Bitcoin Anchor Coin from ERC20) from compound;
- He shorted WBTC at bZw;
- He threw 112 WBTC in uniswap, probably to drive down prices;
- Return 10,000 ETH borrowed from dydx;
- The original contract had $ 1 million worth of eth in the compound and $ 650,000 of WBTC debt, so the attacker had a profit of about $ 350,000;
(Figure: Operation records of the attacker )
What do you think?