bZx, the DeFi platform exploited over the weekend to the tune of 1,193 ETH, has had to “hit the pause button” after a second event within a week that has allegedly seen at least 2,378 ETH stolen. The action came just three hours after the company published a report regarding the first hack and further illustrates how ill equipped the DeFi space is at present to make inroads into challenging the established system.
We have hit the pause button on the protocol again in light of suspicious transactions using flash loans and trading on Synthetix.
— bZx (@bzxHQ) February 18, 2020
Attackers Game the System
The report into the first hack was posted yesterday evening and detailed how the ‘hacker’ took out a 10,000 ETH ‘flash loan’ which he then sent through a complicated array of transactions including Compound, Fulcrum, and Kyber Uniswap, with the result that the entire loan was paid back with the attacker profiting to the tune of 1,193 ETH, worth $300,000 at the time.
bZx were at pains to point out that no user funds had been lost or have the potential to be lost, but any sense of relief was eradicated three hours later when a similar pattern of activity was exposed and the platform were forced to halt operations once more when another suspicious transaction was spotted.
Lower Loan, Reduced Complication, Increased Profit for Hacker
A report on this second theft came via Ethereum blogger Mudit Gupta who found the suspicious transaction in question and performed some perfunctory analysis. Gupta found that the attacker obtained a 7,500 ETH loan which he converted to Synthetix sUSD and routed through Kyber again, once more gaming the bZx system to leave him with at least 2,378 ETH and potentially as much as 2,716 ETH, which is the amount that bZx lost.
The fact that the attacker was able to gain more from a lower value loan and at a reduced level of complication should be of most concern to bZx, as it shows the hackers are getting smarter.
DeFi’s Future in the Balance?
Despite bZx claiming that user funds are safe, they won’t be safe much longer if the platform itself runs out of funds because people are working out ways to game the system. As Gupta says, bZx should stop what it is doing now and conduct a chain audit before working out if the platform is really viable in its current state.
If DeFi is to have any chance of succeeding, such attacks must be impossible, or at least so hard to perform that they are not worth the effort. At the moment, the hackers clearly have the upper hand, and they could end up killing DeFi before it has got started.