Defi protocol bZx was attacked again within a week, this time losing more than $ 600,000 in ETH. This was the second attack in a few days, just after bZx had just deployed a contract upgrade.
BZX tweeted that the second attack was an oracle operation attack, which was completely different from the first attack . The attacker made a net profit of about $ 600,000 from the system. The sUSD reserve on Kyber includes APR and Uniswap pools. We believe that attackers can manipulate both and bypass related checks. We will implement a change that allows traders and borrowers to close positions. During this time we will strengthen the security of the agreement to ensure that similar incidents will not occur again. In addition, we are working with chainlink and other Oracle networks to create a more secure Oracle network and reduce the attackable scope of the protocol. Bitcoinist pointed out that bZx's second attack indicated the need for a thorough audit of DeFi smart contracts.
- Dismantling the bZx event: just another advance transaction
- DeFi Monthly Report | bZx incident rethinking, what do DeFi oracles, insurance, and governance do?
- DeFi Trust Crisis: Rethinking the bZx Incident
- Detailed DeZ protocol bZx hacked twice: What is the attack method and how to defend it?
- DeFi Weekly Selection 丨 bZx Event Reflection: What Does Flash Loan Mean?
- Analysis of hard core technology | bZx protocol attacked by hackers
According to Bitcoinist, the attack allowed "attackers" to take advantage of the platform through smart contracts that can borrow funds without mortgages and repay the funds in the same transaction. Between the steps of borrowing and repaying a loan, an attacker can perform many steps between leveraging the DEX and DeFi lending platforms, which are performed automatically by smart contracts. All of this happens immediately in one transaction.
In this latest attack, the attacker was able to use borrowings and immediately conduct multiple transactions, arbitrage the low liquidity of DEX, and obtained considerable profits.
In this attack, the attacker borrowed 7,500 ETH from bZx, used half of the ETH to purchase sUSD on another Defi platform, Synthetix, and used sUSD as collateral for the second bZx loan. They then used 900 ETH on the low-liquidity DEX Kyber network to hit sUSD to $ 2. They then borrowed 6,796 ETH and repaid the original loan of 7,500 ETH, earning 2,378 ETH, equivalent to $ 630,000.
All these steps are completed in one transaction, making use of smart contracts that developers did not expect, similar to the famous DAO attack. This attack is indeed not a hacking attack, and more uses of poorly written and insecure smart contracts.
After bZx suffered its first attack and lost $ 350,000 in ETH, the platform shut down and went offline to allow developers to repair the contract in case the attacker conducts another attack. The first attack caught the crypto community by surprise, as lending was a new product offered by the DeFi platform. The second attack demonstrated the need for a very thorough review of DeFi smart contracts.
In the DeFi loan agreement bZx was attacked again, the value of locked assets in the DeFi ecosystem fell by nearly $ 142 million within hours. This month, the total value of the assets locked in the Defi agreement exceeded the US $ 1 billion mark for the first time, and since February 15 it has once again reached a record high of US $ 1.22 billion. Earlier today, the total value of locked assets had gradually decreased to $ 1.149 billion, and as bZx was attacked again, the number fell further, approaching $ 1 billion.
Despite DEX trading volume soaring, BzX vulnerability incident highlights industry concerns
Last year, the DEX transaction volume on Ethereum exceeded 2.3 billion U.S. dollars, and it is expected to easily surpass it in 2020. According to data from Dune Analytics, the transaction volume of Ethereum DEX in the past 7 days reached US $ 119 million, an increase of 71% year-on-year. At the same time, in order to meet growing demand, new DEXs are constantly emerging. Nevertheless, there are still hidden concerns in the DEX industry. The BzX vulnerability in the DeFi loan agreement that occurred on February 15 sparked a fierce debate. The focus of the debate is whether the decentralized transaction protocol is really decentralized or the existence of an "emergency switch" will make all these statements invalid.
Robert Leshner, founder of Compound, the Ethereum decentralized lending agreement, said that the recent performance of the bZx team has repeatedly proven that they cannot take good care of user assets. They should immediately suspend business and review the platform.
Litecoin founder Charlie Lee said on Twitter that this is why I don't believe in DeFi. This is the worst of the two worlds. Most DeFi can be closed by a centralized department, so it is just a decentralized "theatre". However, unless we add more centralization, no one can undo hacking or exploits.
Translated from: bitcoinist " https://bitcoinist.com/bzx-exchange-says-latest-attack-was-completely-different/ "