The developers of the DeFi platform bZx have reported about a second attack in which 2,388 ETH tokens (about $645,000) have been lost. bZx co-founder Kyle Kistner said:
"This attack appears to be an oracle manipulation attack."
bZx has published an analysis of the first attack, in which the hacker or hackers reportedly stole 1,193 ETHs (about $298,000).
It looks like the previous attack was carried out using a flash loan from dYdX for 10,000 ETH tokens, of which 5,500 were sent to Compound to collateralize a loan of 112 wBTC. 1,300 ETHs were sent to the Fulcrum pToken sETHBTC5x, opening a 5x short position against the ETHBTC ratio. 5,637 ETHs were exchanged for 51 WBTCs through Uniswap's exchange reserves; as a result, the order execution price deviated greatly from the market. Later, 112 wBTCs from Compound were exchanged for 6,871 ETHs through Uniswap.
The attacker only had to pay $8.71 in fees.
In the second attack, the hacker received a 7,500 ETHs flash loan, bought 3,518 ETHs worth of sUSDs for close to $1 and subsequently deposited it to bZx as collateral. He then used 900 ETHs to buy sUSDs on the Kyber and Uniswap markets, which allowed him to artificially inflate the price. At the same time, the amount of collateral provided at bZx also increased, allowing him to borrow 6,796 ETHs. After repaying the debt in net terms, he received 2,388 ETHs.
Subscribe to our Telegram channel to stay up to date on the latest crypto and blockchain news.