Former Google engineer Korantin Auguste published a post on his blog explaining the attack on Fulcrum.
However, the post, titled “The bZx attack explained“, has now been removed, although its content is still known.
Auguste explained in detail how the bZx DeFi platform, on which Fulcrum services are based, was attacked, revealing that the attacker borrowed 10,000 ETH from dYdX, a non-custodial exchange for margin trading, then sent 5,000 of them to the DeFi Compound lending platform and borrowed 112 WBTC (Wrapped Bitcoin) to perform the attack.
He then sent 1,300 ETH to bZx to open a 5x leveraged short position on WBTC. According to Auguste, this call opened a position on Fulcrum by shorting ETH against WBTC with a x5 leverage with 1,300 ETH.
The bZx platform then internally converted 5,637 ETH to 51 WBTC through a Kyber order addressed to Uniswap and the attacker converted the 112 WBTC to 6,871 ETH on Uniswap and then sent the initial 10,000 ETH back to dYdX.
Auguste states that the attacker exploited a bug in bZx that allowed him to trade a huge amount on Uniswap at an inflated price of 3 times, then managed to sell 112 WBTC for 6,871 ETH because “the Uniswap supply is all distorted”.
The transaction was concluded with a compound position with 5,500 ETH as collateral and only 112 WBTC borrowed, which is about $350,000 of capital in Compound.
The cause would be a logic bug in the code of bzX leading to a loss for the platform of about $620,000 and a profit of about $350,000 for the attacker. It would therefore not be an Oracle bug, but a vulnerability in the bZx protocol.
In any case, bZx has stated that its users will not suffer losses because they will be reimbursed.
