bZx, the DeFi protocol on the receiving end of the ecosystem’s latest exploit, has been hit with a second attack, this time using the protocol’s own flash loans that were enabled just a day ago. The exploit, which involved the use of Synthetix, has resulted in bZx pausing their smart contract again.
DeFi Attacks Continue
After a tumultuous week, bZx was hit by another exploit. This time, co-founder Kyle Kistner believes it was caused by manipulation of the protocol’s price oracle, as per the bZx Telegram channel.
The trader that executed is said to have made off with 2,388 ETH, or approximately $638,000 at current prices. This exploit has the bZx team streamlining the implementation of ChainLink’s oracle service on an expedited schedule.
In an unfortunate turn of events, bZx added flash loans just a day ago and it was used by the trader to procure a 7,500 ETH loan. The trader used roughly 3,500 ETH to buy sUSD from the Synthetix depot and deposit it as collateral on bZx.
sUSD price was then bid up through Kyber Network, which bZx stated they used as an oracle to arrive at an average. Once sUSD price went up, the trader borrowed 6,800 ETH against sUSD on bZx, and then repaid the flash loan from bZx, as per an analyst on Twitter.
Insurance Details and Flash Loans
Nexus Mutual turned down the first loss claims from the first bZx exploit as the bZx team stated there was no loss of funds. There was also a lack of solid information for Nexus’ claims assessment team.
This particular attack may have different implications, but those familiar with the situation speculate that the loss would be borne by bZx and not lenders on the platform.
Since this is currently believed to be oracle manipulation, it is unlikely that any loss will be covered by Nexus Mutual.
The exploit has opened up discussion regarding the danger posed by flash loans. Initially, the main problem seen by a majority of analysts was dYdX’s allowance of feeless flash loans.
Haseeb Qureshi, a partner at Dragonfly Capital, believes flash loans are a perfect source of capital for attackers, as only the upside from the attack is tainted, and the rest of the capital is given back to the protocol that issued the flash loan. The amount of money tainted from the process is minimal.
One thing is certain, this entire ordeal has resulted in free marketing for ChainLink and smart contract auditors.
Credit: Source link