bZx Hack Analysis: Smart use of DeFi legos.

As you might have already heard, bZx (Fulcrum) has been “hacked”. The hack was executed in a single tranaction that happened on February 15, 2020.

How it went down

  1. The hacker took a flash loan of 10k ETH from dy/dx that they have to pay back at the end of the transaction.
  2. The hacker exchanged 5.5k ETH for 112 WBTC(Wrapped Bitcoin) from Compound.
  3. The hacker used the margin trading feature of bZx to short eth in favor of BTC. To do this, the hacker deposited 1.3k ETH into bZx and did a 5x short. In other words, the hacker wagered on the price of ETH dropping in terms of BTC.
  4. To serve this request, bZx swapped its 5.6k ETH for 51 WBTC from Kyberswap. Kyberswap used Uniswap to fill the order, and that pumped the price of WBTC in Uniswap. 
  5. It was the best rate possible for this large quantity. However, In reality, 51 BTC is worth only 2k ETH. Due to limited supply in the market, the price rose sharply, and bZx had to pay 5.6k ETH for 51 BTC. This is where the real loss happened. The bZx smart contract should not have paid such a high price.
  6. The bZx system assumed that when it is time to close the margin trade, if ETH price has risen, it will deduct the hacker’s deposit to recoup the loss. However, the hacker’s deposit was not enough to recoup the loss.
  7. The actual loss here is 3.6k ETH (5.6k the amount paid by bZx – 2k the amount they will get back). This means that bZx just lost 2.3k ETH (3.6k total loss – 1.3k hacker’s deposit).
  8. The bZx system expects the hacker to come back and pay the 2.3k ETH to close their margin trade. However, that’s unlikely to happen. There’s no real reason for the hacker to come back and close their margin trade.
  9. The hacker was probably selling WBTC in Uniswap as a liquidity provider. The liquidity providers earned a real profit in terms of fees for selling WBTC to bZx in exchange for ETH.
  10. The hacker then proceeded to sell the 112 WBTC that they borrowed from Compound to Uniswap. Since the price was inflated on Uniswap, the hacker got 6.8k ETH in return rather than what they paid (5.5K). Again, the liquidity providers got a cut as their fees.
  11. The hacker then paid back the flash loan they took in the first step.
  12. The hacker kept the profit they made by selling WBTC for a higher price and earning Liquidity provider fees in Uniswap.

Final thoughts

The real losers in this hack were bZx (Fulcrum). They lost about 2.3k ETH. However, all of their loss did not directly profit the hacker. The hacker got a good chunk of it, but I suppose other liquidity providers in Uniswap also had a happy day. This is why I think this was a not a “whitehat” hack, and the hacker will not come back to close their margin trade by paying the 2.3k ETH loss to bZx. The hacker did not make enough from this hack to pay back the full 2.3k ETH. The exact amount they made depends on how much fees they got from Uniswap for the trades.

The fascinating thing about this hack was that the hacker’s funds were never at risk. The hacker used the feature of “flashloans” to borrow ETH needed for this hack. If, for some reason, this hack was not to work out as intended, the hacker could have just reverted the whole transaction at the end and lose only the gas fees (~8 dollars).

stonks

It’s an exciting hack based on different DeFi legos. It involved artificial price manipulation, so it would’ve been illegal in most countries if it were done on a regulated asset. However, since code is law in the crypto world, It is up to debate if it was illegal or not.

UPDATE: bZx has been hacked once again.

Leave a Comment

Your email address will not be published. Required fields are marked *