An attacker has managed to exploit the decentralized finance (DeFi) protocol bZx to make over $360,000 worth of profit in a single transaction through what’s known as flash loan.
Using a decentralized trading platform dYdX, a hacker borrowed 10,000 ETH, currently worth around $2.5 million, and then sent half of it to decentralized finance lending platform Compound, and half to decentralized trading platform bZx.
Using the funds on Compound, it borrowed 112 wrapped bitcoin tokens (wBTC), ERC-20 tokens backed 1:1 by bitcoin. Using the half on bZx, the hacker entered a short position for 112 wBTC. He then sent the 112 wBTC it got from Compound to another trading platform, Uniswap, in a move that lowered the price of the tokens which made the short sale profitable.
The hacker then repaid his loan to dYdX and kept the profit from the short sale, 1,300 ether that were then worth $360,000. All of this was made in a single transaction that cost around $8 worth of transaction fees.
The attack was pulled in a single transaction through what’s known as a flash loan. Essentially, the attacker borrowed 10,000 ETH without any collateral as he borrowed the funds in the same transition that paid them back. Through a smart contract, it was possible to pull the transaction.
Using the exploit, the hacker made over 1,000 ETH in profit and cost the bZx protocol over $620,000 in equity. bZx has made it clear users won’t suffer from the loss as it will compensate them. Those behind the project are set to release a detailed analysis at 5pm MST.
4/ We believe in standing beside our work and our product completely. We will be publishing a comprehensive plan to compensate lenders. We will continue to live up to our values and the expectations of the community.
— bZx (@bzxHQ) February 15, 2020
Data from DeFi Pulse shows that investors quickly started withdrawing from bZx right after the incident occurred, but started regaining confidence as soon as the project addressed the issue and clarified they wouldn’t be socializing the loss.
Featured image via Pixabay.