BZx Fulcrum Flash Loan/Oracle Manipulation: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/bzxdecentralizedlendingplatformattack.php}} thumb|BZxThis is really two separate attacks. In the first case, the hacker created a loan which had no collateral, and the company behind the smart contract (supposed to be decentralized) is taking responsibility for paying this loan over time. The second case was more serious, and involved exploiting an "oracle" or central infor...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/bzxdecentralizedlendingplatformattack.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/bzxdecentralizedlendingplatformattack.php}} | ||
{{Unattributed Sources}} | |||
[[File:Bzxfulcrum.jpg|thumb| | [[File:Bzxfulcrum.jpg|thumb|bZx]]This is really two separate attacks. In the first case, the hacker created a loan which had no collateral, and the company behind the smart contract (supposed to be decentralized) is taking responsibility for paying this loan over time. The second case was more serious, and involved exploiting an "oracle" or central information source inside the decentralized smart contract to drain further ether. Thankfully in this case it seems that the decentralized platform was managed by an honest team and large effort is underway to patch these exploits, however it does highlight that there are still exploits to be found in smart contracts. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="cryptopotato-308" /><ref name="bzx-309" /><ref name="coindesk-310" /><ref name="coindesk-311" /><ref name="coindesk-312" /><ref name="ciphertrace-1152" /><ref name="slowmisthacked-678" /><ref name="cryptobriefing-825" /><ref name="openzeppelinforum-1155" /><ref name="peckshieldmedium-2009" /><ref name="peckshieldmedium-2010" /><ref name="peckshieldblogarchive-2011" /><ref name="etherscan-2012" /><ref name="nexusmutualmedium-2013" /><ref name="fulcrum-2014" /><ref name="mattdfgithub-2015" /><ref name="bzxnetworkmedium-2016" /><ref name="defirate-2017" /><ref name="decrypt-2018" /><ref name="cryptosec-5385" /><ref name="thedefiant-5437" /> | ||
== About BZx == | == About BZx == | ||
| Line 47: | Line 48: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 68: | Line 68: | ||
!Description | !Description | ||
|- | |- | ||
|February 14th, 2020 | |February 14th, 2020 | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 80: | Line 76: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | The total amount lost has been estimated at $918,000 USD. | ||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 93: | Line 92: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
The total amount recovered has been estimated at $31,000 USD. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 99: | Line 98: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
Smart contract auditing is helpful to reduce issues, however it is not a silver bullet. Contracts which have been tested over a longer time period are less likely to contain exploits. However, decentralized trading carries risks, and recovery is never guaranteed. | |||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://cryptopotato.com/almost-1-million-of-eth-compromised-following-two-attacks-on-defi-protocol-bzx/ Almost $1 Million Of ETH Compromised Following Two Attacks On DeFi Protocol bZx] (Jun 21) | <references><ref name="cryptopotato-308">[https://cryptopotato.com/almost-1-million-of-eth-compromised-following-two-attacks-on-defi-protocol-bzx/ Almost $1 Million Of ETH Compromised Following Two Attacks On DeFi Protocol bZx] (Jun 21, 2020)</ref> | ||
[https://bzx.network/blog/postmortem-ethdenver Post-Mortem] (Jun 21) | <ref name="bzx-309">[https://bzx.network/blog/postmortem-ethdenver Post-Mortem] (Jun 21, 2020)</ref> | ||
[https://www.coindesk.com/yields-of-25-to-42-lure-lenders-back-to-defi-platform-bzx Yields of 25% to 42% Lure Lenders Back to DeFi Platform bZx - CoinDesk] (Jun 21) | <ref name="coindesk-310">[https://www.coindesk.com/yields-of-25-to-42-lure-lenders-back-to-defi-platform-bzx Yields of 25% to 42% Lure Lenders Back to DeFi Platform bZx - CoinDesk] (Jun 21, 2020)</ref> | ||
[https://www.coindesk.com/defi-insurance-firm-nexus-mutual-makes-its-first-payout-following-bzx-attacks DeFi Insurance Firm Nexus Mutual Makes Its First Payout Following bZx Attacks - CoinDesk] (Jun 21) | <ref name="coindesk-311">[https://www.coindesk.com/defi-insurance-firm-nexus-mutual-makes-its-first-payout-following-bzx-attacks DeFi Insurance Firm Nexus Mutual Makes Its First Payout Following bZx Attacks - CoinDesk] (Jun 21, 2020)</ref> | ||
[https://www.coindesk.com/chainlinks-sergey-nazarov-on-what-defi-can-learn-from-early-exchange-hacks Chainlink's Sergey Nazarov on What DeFi Can Learn From Early Exchange Hacks] (Jun 21) | <ref name="coindesk-312">[https://www.coindesk.com/chainlinks-sergey-nazarov-on-what-defi-can-learn-from-early-exchange-hacks Chainlink's Sergey Nazarov on What DeFi Can Learn From Early Exchange Hacks] (Jun 21, 2020)</ref> | ||
[https://ciphertrace.com/wp-content/uploads/2021/01/CipherTrace-Cryptocurrency-Crime-and-Anti-Money-Laundering-Report-012821.pdf CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020] (Jun | <ref name="ciphertrace-1152">[https://ciphertrace.com/wp-content/uploads/2021/01/CipherTrace-Cryptocurrency-Crime-and-Anti-Money-Laundering-Report-012821.pdf CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020] (Jun 20, 2021)</ref> | ||
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May | <ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 18, 2021)</ref> | ||
[https://cryptobriefing.com/50-million-lost-the-top-19-defi-cryptocurrency-hacks-2020/ Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing] (May | <ref name="cryptobriefing-825">[https://cryptobriefing.com/50-million-lost-the-top-19-defi-cryptocurrency-hacks-2020/ Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing] (May 22, 2021)</ref> | ||
[https://forum.openzeppelin.com/t/list-of-ethereum-smart-contracts-post-mortems/1191 List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community] (Jun | <ref name="openzeppelinforum-1155">[https://forum.openzeppelin.com/t/list-of-ethereum-smart-contracts-post-mortems/1191 List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community] (Jun 23, 2021)</ref> | ||
[https://medium.com/@peckshield/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc bZx Hack Full Disclosure (With Detailed Profit Analysis) | by PeckShield | Medium] (Jun | <ref name="peckshieldmedium-2009">[https://medium.com/@peckshield/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc bZx Hack Full Disclosure (With Detailed Profit Analysis) | by PeckShield | Medium] (Jun 23, 2021)</ref> | ||
[https://peckshield.medium.com/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc Bzx Hack Full Disclosure With Detailed Profit Analysis] (Jun | <ref name="peckshieldmedium-2010">[https://peckshield.medium.com/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc Bzx Hack Full Disclosure With Detailed Profit Analysis] (Jun 26, 2021)</ref> | ||
[https://web.archive.org/web/20210728034927/https://blog.peckshield.com/2020/02/15/bZx/ PeckShield Inc. - bZx Hack Analysis Exposes Challenging DeFi-Inherent Composable Liquidity Risks] (Jun | <ref name="peckshieldblogarchive-2011">[https://web.archive.org/web/20210728034927/https://blog.peckshield.com/2020/02/15/bZx/ PeckShield Inc. - bZx Hack Analysis Exposes Challenging DeFi-Inherent Composable Liquidity Risks] (Jun 26, 2021)</ref> | ||
[https://etherscan.io/tx/0xb5c8bd9430b6cc87a0e2fe110ece6bf527fa4f170a4bc8cd032f768fc5219838 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Jun | <ref name="etherscan-2012">[https://etherscan.io/tx/0xb5c8bd9430b6cc87a0e2fe110ece6bf527fa4f170a4bc8cd032f768fc5219838 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Jun 26, 2021)</ref> | ||
[https://medium.com/nexus-mutual/bzx-flash-loan-event-55753d19e52b Bzx Flash Loan Event] (Jun | <ref name="nexusmutualmedium-2013">[https://medium.com/nexus-mutual/bzx-flash-loan-event-55753d19e52b Bzx Flash Loan Event] (Jun 26, 2021)</ref> | ||
[https://fulcrum.trade/ Crypto Margin Trading with Fulcrum | bZx] (Jun | <ref name="fulcrum-2014">[https://fulcrum.trade/ Crypto Margin Trading with Fulcrum | bZx] (Jun 26, 2021)</ref> | ||
[https://github.com/mattdf/audits/blob/master/bZx/bzx-audit.pdf audits/bzx-audit.pdf at master · mattdf/audits · GitHub] (Jun | <ref name="mattdfgithub-2015">[https://github.com/mattdf/audits/blob/master/bZx/bzx-audit.pdf audits/bzx-audit.pdf at master · mattdf/audits · GitHub] (Jun 26, 2021)</ref> | ||
[https://medium.com/bzxnetwork/introducing-fulcrum-tokenized-margin-made-dead-simple-e65ccc82393f Introducing Fulcrum Tokenized Margin Made Dead Simple] (Jun | <ref name="bzxnetworkmedium-2016">[https://medium.com/bzxnetwork/introducing-fulcrum-tokenized-margin-made-dead-simple-e65ccc82393f Introducing Fulcrum Tokenized Margin Made Dead Simple] (Jun 26, 2021)</ref> | ||
[https://defirate.com/bzx/ Fulcrum Trade - bZx Decentralized Lending & Margin Trading] (Jun | <ref name="defirate-2017">[https://defirate.com/bzx/ Fulcrum Trade - bZx Decentralized Lending & Margin Trading] (Jun 26, 2021)</ref> | ||
[https://decrypt.co/resources/bzx-ethereum-defi-decentralized-finance-explained-guide What is bZx? A 3-minute guide to the defi trading platform - Decrypt] (Jun | <ref name="decrypt-2018">[https://decrypt.co/resources/bzx-ethereum-defi-decentralized-finance-explained-guide What is bZx? A 3-minute guide to the defi trading platform - Decrypt] (Jun 26, 2021)</ref> | ||
[https://cryptosec.info/defi-hacks/ Comprehensive List of DeFi Hacks & Exploits - CryptoSec] (Jan 8) | <ref name="cryptosec-5385">[https://cryptosec.info/defi-hacks/ Comprehensive List of DeFi Hacks & Exploits - CryptoSec] (Jan 8, 2022)</ref> | ||
[https://newsletter.thedefiant.io/p/arbs-exploit-defi-to-make-900k-in No Title] (Jan 9) | <ref name="thedefiant-5437">[https://newsletter.thedefiant.io/p/arbs-exploit-defi-to-make-900k-in No Title] (Jan 9, 2022)</ref></references> | ||
Latest revision as of 13:29, 1 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
This is really two separate attacks. In the first case, the hacker created a loan which had no collateral, and the company behind the smart contract (supposed to be decentralized) is taking responsibility for paying this loan over time. The second case was more serious, and involved exploiting an "oracle" or central information source inside the decentralized smart contract to drain further ether. Thankfully in this case it seems that the decentralized platform was managed by an honest team and large effort is underway to patch these exploits, however it does highlight that there are still exploits to be found in smart contracts.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21]
About BZx
"bZx (formerly known at b0x) was conceived in August 2017." "bZx was founded by Tom Bean, a self-starter with years of experience working with top-profile car companies using GPS technology." "The project first started publicly marketing themselves during ETHDenver in 2018. Since then, the protocol published their formal whitepaper in February of 2018, followed by a testnet release in April and a full mainnet launch in August of the same year." "The bZx team currently lists 8 team members and 3 advisors on their official website."
"bZx is a set of smart contracts built on top of Ethereum that allows people to lend and margin trade without having to rely on third parties." "Fulcrum is a powerful DeFi platform for tokenized lending and margin trading." "Fulcrum is a decentralized margin trading platform. There is no need for any verification, KYC or AML." "It is the first and only completely trustless platform for margin; it does not use centralized price feeds or centrally administered margin calls. It is permissionless and rent free; there are no fees and no accounts. Fulcrum is built on the bZx base protocol and extends the protocol by allowing both loans and margin positions to be tokenized." "Enjoy a frictionless trading experience with positions that automatically renew and zero rollover fees."
"bZx has been heavily focused on solidifying strong industry partnerships with key players including but not limited to MakerDAO, Kyber, ChainLink, Augur and Set Protocol." "The bZx base protocol [was] audited by leading blockchain security auditor ZK Labs."
"[T]he attack was launched on Valentine’s day on February 14th during ETHDenver. At that time, bZx’s team has been out attending the event." The team "immediately returned home from the[ir] tBTC happy hour." "The series of transactions were extremely complex and did not yield to a straightforward chain analysis. We made the determination that the attack could continue, that lender funds were at risk, and that we needed to take steps to disable the attack." "bZx team announced on the bZx’s official Telegram channel, saying that there was an “exploit executed” against the bZx protocol and that the firm has paused that protocol, “except for lending and unlending.”"
"First, the attacker borrowed 10,000 ETH from dYdX – a decentralized lending protocol. He then used 5,500 ETH to collateralize a loan for 112 wBTC on Compound – another lending protocol. After that, he spent 1,300 ETH to open a 5x leveraged ETH/BTC short position on the Fulcrum trading platform of bZx, while also borrowing 5,637 ETH through Kyber’s. This amount he swapped for 51 wBTC, causing a serious slippage." "This allowed the perpetrator to profit from swapping the 112 wBTC from Compound to 6,671 ETH and generate an income of 1,193 ETH. That’s roughly around $318,000. At the end of it all, the attacker paid back the 10,000 ETH loan on the dYdX protocol that he had taken before." "The team identified a safeguard that was bypassed. There was a safety check that did not fire, caused by a logic error in flagging the loan as overcollateralized. Overcollateralized loans don’t involve swaps, which bypasses the final slippage check."
Attack procedure: "(1) A flash loan from dYdX for 10,000 ETH was opened. (2) 5500 ETH was sent to Compound to collateralize a loan of 112 wBTC. (3) 1300 ETH was sent to the Fulcrum pToken sETHBTC5x, opening a 5x short position against the ETHBTC ratio. (4) 5637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap reserve, causing large slippage. (5) The attacker swapped the 112 wBTC borrowed from Compound to 6871 ETH on Uniswap, resulting in a profit. (6) The flash loan of 10,000 ETH from dYdX was paid back from the proceeds."
"The total profit from this sequence of events was 1193 ETH, currently worth $298,250 @ $250/ETH."
"The bZx team has also officially confirmed [a] second attack." "[T]he attacker managed to extract a net profit from the system of around $600,000, bringing the losses up to more than $900,000 worth of ETH. However, the mechanism of the second attack was completely different than the first one." "The issue at hand had a lot to do with oracle manipulation. Oracles typically represent centralized components that provide external information to on-chain apps." "Aave CEO Stani Kulechov, said that a “flash loan was used to get capital without owning it. The attack was possible without a flash loan as well if the person would have such a big amount of cryptocurrency in possession.”"
"The total number of ethers locked in bZx dropped from roughly 27,000 to 23,000 after the first attack, while the annual interest rate spiked from 0.07 percent on Feb. 14 to 98.18 percent on Feb. 16." "With the surge in interest rates, the amount of ether held as deposits rose from 23,000 to 40,800 by Feb. 18, only to fall back to 23,000 following the second attack. The number slipped further to 17,500 at the end of February."
Some users "had insurance on assets locked up in bZx’s Fulcrum, but after a bug yielded an exploit of its smart contract, a couple of accounts that did were covered by Nexus Mutual, the London-based crypto insurance company." "As soon as the attack was found, claims were made on the Fulcrum smart contract. Mutual fund holders voted those down because at that point it looked like attackers had manipulated the oracles Fulcrum looked at, which didn’t count as a failure of the smart contract itself, in Nexus Mutual’s documentation." Only "two claims worth approximately $31,000 were paid out, according to the company."
The bZx team "acted to delist the whitelisted tokens on the oracle token registry, which was not protected by a timelock." "The team identified a safeguard that was bypassed. There was a safety check that did not fire, caused by a logic error in flagging the loan as overcollateralized. Overcollateralized loans don’t involve swaps, which bypasses the final slippage check." They "addressed the condition that prevented the check from firing in the first place by requiring the check to take place even in the case of overcollateralized loans. The ETHBTC margin tokens were delisted from the oracle token registry. [They] implemented maximum trade sizes to limit the possible scope of any attack."
"Chainlink announced it would be helping bZx upgrade its systems, taking advantage of Chainlink’s recently launched “meta oracle.”"
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| February 14th, 2020 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $918,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
The total amount recovered has been estimated at $31,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Smart contract auditing is helpful to reduce issues, however it is not a silver bullet. Contracts which have been tested over a longer time period are less likely to contain exploits. However, decentralized trading carries risks, and recovery is never guaranteed.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Almost $1 Million Of ETH Compromised Following Two Attacks On DeFi Protocol bZx (Jun 21, 2020)
- ↑ Post-Mortem (Jun 21, 2020)
- ↑ Yields of 25% to 42% Lure Lenders Back to DeFi Platform bZx - CoinDesk (Jun 21, 2020)
- ↑ DeFi Insurance Firm Nexus Mutual Makes Its First Payout Following bZx Attacks - CoinDesk (Jun 21, 2020)
- ↑ Chainlink's Sergey Nazarov on What DeFi Can Learn From Early Exchange Hacks (Jun 21, 2020)
- ↑ CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20, 2021)
- ↑ SlowMist Hacked - SlowMist Zone (May 18, 2021)
- ↑ Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 22, 2021)
- ↑ List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23, 2021)
- ↑ bZx Hack Full Disclosure (With Detailed Profit Analysis) | by PeckShield | Medium (Jun 23, 2021)
- ↑ Bzx Hack Full Disclosure With Detailed Profit Analysis (Jun 26, 2021)
- ↑ PeckShield Inc. - bZx Hack Analysis Exposes Challenging DeFi-Inherent Composable Liquidity Risks (Jun 26, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jun 26, 2021)
- ↑ Bzx Flash Loan Event (Jun 26, 2021)
- ↑ Crypto Margin Trading with Fulcrum | bZx (Jun 26, 2021)
- ↑ audits/bzx-audit.pdf at master · mattdf/audits · GitHub (Jun 26, 2021)
- ↑ Introducing Fulcrum Tokenized Margin Made Dead Simple (Jun 26, 2021)
- ↑ Fulcrum Trade - bZx Decentralized Lending & Margin Trading (Jun 26, 2021)
- ↑ What is bZx? A 3-minute guide to the defi trading platform - Decrypt (Jun 26, 2021)
- ↑ Comprehensive List of DeFi Hacks & Exploits - CryptoSec (Jan 8, 2022)
- ↑ No Title (Jan 9, 2022)