Someone has duped bZx once again (second time in one week). This time, the hacker got away with a lot more. The hacker seems to have gotten away with more than 2378 ETH, which is equivalent to 635k USD at current prices. The hack was very similar to the last hack and executed in a single transaction on February 18, 2020. It’s very early for a full analysis, but I’ve looked at the transaction and done a quick analysis.
How it was executed
- The hacker took a flash loan of 7500 ETH that they have to pay back at the end of the transaction.
- The hacker converted 3518 ETH to sUSD using Synthetix’s depot. Since sUSD is a stable coin, the official depot sold it at an approximate rate of 1 USD per token.
- The hacker placed buy orders worth 900 ETH for sUSD on Kyber. Since Kyber sets prices based on supply and demand, the price of sUSD got jacked up to more than 2 USD per token in Kyber. Nobody with common sense would’ve bought sUSD at these inflated rates, but “smart” contracts lack common sense.
- The hacker deposited their 1099841 sUSD into bZx to borrow ETH.
- bZx checked the price of sUSD on Kyber and decided that it’s worth lending 6796 ETH. However, 1099841 sUSD is worth only ~4080 ETH. Due to the inflated rates in Kyber, the bZx smart contract got duped. This single lend cost it 6796 – 4080 = 2716 ETH loss.
- The hacker paid back the flash loan they took in step 1 and was still left with 2378 ETH profit (7500 – 3518 – 900 + 6796 – 7500).
- As you can see, the hacker gained a guaranteed 2378 ETH, but bZx lost 2716 ETH. So, someone else earned 338 ETH. This 338 ETH was earned by people who fulfilled the hacker’s 900 ETH order for sUSD on Kyber. Maybe the hacker filled their own orders so they might have made up to 2716 ETH.
Final thoughts
The hacker made at least 2378 ETH from this single transaction but might have made up to 2716 ETH. bZx lost 2716 ETH in this transaction.
As you might have noticed, the hacker borrowed 7500 ETH but only used 4418 of it. This was because Synthetix’s depot didn’t have anymore sUSD left. If it had more, the “hacked amount” would have been even more. Similar to the last attack, the hacker’s funds were never at risk. If it was to not pan out at the end, the hacker could’ve just reverted the transaction and lost only the gas fee.
bZx needs to stop trusting the prices returned by Kyber immediately. A single price oracle is a vulnerability in the smart contract that should be fixed ASAP. This is the second hack against them in a single week. In my opinion, they should immediately cease all operations and get a fresh audit before resuming operations again.
