Yesterday the bZx protocol, the one on which Fulcrum‘s services are based, was hacked for the second time in a week.
While the previous attack led to a profit of about $350,000 for the attacker, with a capital loss of about $620,000 for the platform, this time the loss would be about $645,000, equivalent to 2,388 ETH.
bZx has again suspended the activities of its platform.
This time the attack would appear to have been carried out by manipulating the oracle, as stated by bZx co-founder Kyle Kistner on the company’s official Telegram channel.
According to initial analysis, the suspicious transaction took place using flash loans and trading on Synthetix, involving also sUSD, though it did not have any impact on the Synthetix system.
The attacker opened a flash loan of 7,500 ETH, using 3,518 ETH to buy sUSDs for $1, which were later deposited in bZx as collateral.
Another 900 ETH were used to buy sUSD on the market thanks to Kyber and Uniswap, in order to manipulate the price by raising it to more than $2.
In this way, the attacker was able to take out a larger loan than was supposed to, because the collateral seemed to be worth more than it actually was. With this collateral, the attacker then borrowed another 6,796 ETH on bZx which was used to repay the original flash loan.
In doing so, the hacker eventually pocketed a profit of 2,388 ETH, while the bZx pool lost about $1.8 million in ETH and the sUSD pool gained $1.1 million in ETH.
According to Compound founder Robert Leshner, the bZx team has shown that it is unable to protect user funds and should therefore immediately stop operations until the platform is fully secured.
“Security is the ultimate priority for a financial product”.