A price feed from the ethereum-based bZx lending project exploited causing bad actors to gain $630,000 worth of ether (ETH) cryptocurrency.
The second in less than a week, the attack started at just after 03:00 UTC Tuesday, when attackers apparently took out a flash loan of 7,500 ETH (approximately US$ 1.98 million), using 3,518 ETH (~$939,300) to buy synthetic USD stablecoin sUSD from the issuer, which they then posted as collateral for a bZx loan, according to a tweet on an analyst.
They then used 900 ETH (~$240,000) to bid the value of sUSD via an integrated price feed from Kyber Network’s liquidity provider until the dollar stablecoin spiked at $2. Using this inflated leverage, they took out another 6,796 ETH (approximately $1.8 million) loan which was used to repay the initial 7,500 ETH loan, pocketing the remaining 2,378 ETH.
It is worth mentioning that, the assault took just over a minute from start to finish, in its entirety. The exploiters have left an open loan with half the collateral needed now that sUSD is back to pegging its dollar.
According to statistics site DeFi Pulse, the total amount of ether locked in bZx lending contracts has fallen almost half from 40,000 ETH (~$10.7 million) to 23,000 ETH (~$6.1 million) since the exploit took place.
The official bZx Twitter account reported that the project had stopped trading after it found “suspicious transactions using flash loans and trading on Synthetix.” A bZx spokesperson indicated that the company itself would cover the shortfall on the group’s Telegram channel, rather than any of the users on the site.
What are flash loans?
Flash loans are instruments which allow traders to wind up loans on behalf of the lender. This works by having the trader take out a loan from the lender-this time without posting any collateral-then pay back the debt of the creditor and recover the deposit. They will repay the original loan using the deposit, and pocket the remaining funds.