DESCRIPTION OF EVENTS
bZx is "[t]he most powerful open finance protocol". You can use it to "[b]uild applications that empower lenders, borrowers, and traders with the most flexible decentralized finance protocol on Ethereum." "Fulcrum is a project built by the bZx team on top of bZx itself. One feature of Fulcrum is the ability to take a loan on an iToken (read more about that here) using any* other token as collateral. In order to determine how much collateral is needed, bZx uses the Kyber Network as an on-chain decentralized oracle to check the conversion rate between the collateral token and the loan token."
"KyberNetwork [is] an on-chain protocol which allows instant exchange and conversion of digital assets (e.g. crypto tokens) and cryptocurrencies (e.g. Ether, Bitcoin, ZCash) with high liquidity. KyberNetwork [aimed to] be the first system that implements several ideal operating properties of an exchange including trustless, decentralized execution, instant trade and high liquidity." "KyberNetwork exchange rates are visible to other smart contracts. Hence, it enables the implementation of advanced financial instruments such as swap contracts. The quotes provided by KyberNetwork are secure as they reflect the real rates which are being used to trade between pairs of tokens."
"On Tuesday September 3rd, samczun, [then known as] the security researcher who found the critical bug in 0x, alerted [bZx] to an exploit leveraging [their] implementation of Kyber’s price feeds." "This was an attack vector that both ourselves and our auditors did not detect."
"The premise of the attack involved manipulating the price feed with a sandwich attack at the time of taking out the loan." The attacker can "significantly affect the apparent exchange rate between WAX and ETH simply by listing an order, which means that we can trick any project which relies on Kyber to provide an accurate FMV." We can "turn a profit of approximately 1200ETH by (1) Listing an order buying 1 WAX for 10 ETH, increasing the price from 0.00ETH/WAX to 10ETH/WAX. (2) Borrowing DAI from bZx using WAX as a collateral. (3) Cancelling all orders and converting all assets to ETH."
"[T]he exploit exists and has never been used. The exploit was immediately patched." "The bZx team blocked this attack by whitelisting tokens which can be used as collateral." "We are thankful to members of the community like samczun for strengthening the security of the ecosystem."
The original bZx exchange platform contained a vulnerability which would allow an attacker to manipulate prices, which could have been used to steal platform assets.
The vulnerability was fixed before it was able to be exploited.
HOW COULD THIS HAVE BEEN PREVENTED?
There were no user funds lost in this case.
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23)
Fixed Potential Vulnerability In Contract Used During Private Beta (Jun 23)
Your Funds are Safe.. On Tuesday September 3rd, samczun, the… | by bZx Team | Medium (Jun 23)
Taking undercollateralized loans for fun and for profit (Jun 23)
bZx - A Protocol For Tokenized Margin Trading and Lending (Jun 24)
Overview · KyberDeveloper · Powering Liquidity for the Ecosystem (Jun 24)
Kyber Network whitepaper - whitepaper.io (Jun 24)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Jun 24)