BZx Fulcrum Flash Loan/Oracle Manipulation
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
This is really two separate attacks. In the first case, the hacker created a loan which had no collateral, and the company behind the smart contract (supposed to be decentralized) is taking responsibility for paying this loan over time. The second case was more serious, and involved exploiting an "oracle" or central information source inside the decentralized smart contract to drain further ether. Thankfully in this case it seems that the decentralized platform was managed by an honest team and large effort is underway to patch these exploits, however it does highlight that there are still exploits to be found in smart contracts.
This is a global/international case not involving a specific country.
About BZx
"bZx (formerly known at b0x) was conceived in August 2017." "bZx was founded by Tom Bean, a self-starter with years of experience working with top-profile car companies using GPS technology." "The project first started publicly marketing themselves during ETHDenver in 2018. Since then, the protocol published their formal whitepaper in February of 2018, followed by a testnet release in April and a full mainnet launch in August of the same year." "The bZx team currently lists 8 team members and 3 advisors on their official website."
"bZx is a set of smart contracts built on top of Ethereum that allows people to lend and margin trade without having to rely on third parties." "Fulcrum is a powerful DeFi platform for tokenized lending and margin trading." "Fulcrum is a decentralized margin trading platform. There is no need for any verification, KYC or AML." "It is the first and only completely trustless platform for margin; it does not use centralized price feeds or centrally administered margin calls. It is permissionless and rent free; there are no fees and no accounts. Fulcrum is built on the bZx base protocol and extends the protocol by allowing both loans and margin positions to be tokenized." "Enjoy a frictionless trading experience with positions that automatically renew and zero rollover fees."
"bZx has been heavily focused on solidifying strong industry partnerships with key players including but not limited to MakerDAO, Kyber, ChainLink, Augur and Set Protocol." "The bZx base protocol [was] audited by leading blockchain security auditor ZK Labs."
"[T]he attack was launched on Valentine’s day on February 14th during ETHDenver. At that time, bZx’s team has been out attending the event." The team "immediately returned home from the[ir] tBTC happy hour." "The series of transactions were extremely complex and did not yield to a straightforward chain analysis. We made the determination that the attack could continue, that lender funds were at risk, and that we needed to take steps to disable the attack." "bZx team announced on the bZx’s official Telegram channel, saying that there was an “exploit executed” against the bZx protocol and that the firm has paused that protocol, “except for lending and unlending.”"
"First, the attacker borrowed 10,000 ETH from dYdX – a decentralized lending protocol. He then used 5,500 ETH to collateralize a loan for 112 wBTC on Compound – another lending protocol. After that, he spent 1,300 ETH to open a 5x leveraged ETH/BTC short position on the Fulcrum trading platform of bZx, while also borrowing 5,637 ETH through Kyber’s. This amount he swapped for 51 wBTC, causing a serious slippage." "This allowed the perpetrator to profit from swapping the 112 wBTC from Compound to 6,671 ETH and generate an income of 1,193 ETH. That’s roughly around $318,000. At the end of it all, the attacker paid back the 10,000 ETH loan on the dYdX protocol that he had taken before." "The team identified a safeguard that was bypassed. There was a safety check that did not fire, caused by a logic error in flagging the loan as overcollateralized. Overcollateralized loans don’t involve swaps, which bypasses the final slippage check."
Attack procedure: "(1) A flash loan from dYdX for 10,000 ETH was opened. (2) 5500 ETH was sent to Compound to collateralize a loan of 112 wBTC. (3) 1300 ETH was sent to the Fulcrum pToken sETHBTC5x, opening a 5x short position against the ETHBTC ratio. (4) 5637 ETH was borrowed and swapped to 51 WBTC through Kyber’s Uniswap reserve, causing large slippage. (5) The attacker swapped the 112 wBTC borrowed from Compound to 6871 ETH on Uniswap, resulting in a profit. (6) The flash loan of 10,000 ETH from dYdX was paid back from the proceeds."
"The total profit from this sequence of events was 1193 ETH, currently worth $298,250 @ $250/ETH."
"The bZx team has also officially confirmed [a] second attack." "[T]he attacker managed to extract a net profit from the system of around $600,000, bringing the losses up to more than $900,000 worth of ETH. However, the mechanism of the second attack was completely different than the first one." "The issue at hand had a lot to do with oracle manipulation. Oracles typically represent centralized components that provide external information to on-chain apps." "Aave CEO Stani Kulechov, said that a “flash loan was used to get capital without owning it. The attack was possible without a flash loan as well if the person would have such a big amount of cryptocurrency in possession.”"
"The total number of ethers locked in bZx dropped from roughly 27,000 to 23,000 after the first attack, while the annual interest rate spiked from 0.07 percent on Feb. 14 to 98.18 percent on Feb. 16." "With the surge in interest rates, the amount of ether held as deposits rose from 23,000 to 40,800 by Feb. 18, only to fall back to 23,000 following the second attack. The number slipped further to 17,500 at the end of February."
Some users "had insurance on assets locked up in bZx’s Fulcrum, but after a bug yielded an exploit of its smart contract, a couple of accounts that did were covered by Nexus Mutual, the London-based crypto insurance company." "As soon as the attack was found, claims were made on the Fulcrum smart contract. Mutual fund holders voted those down because at that point it looked like attackers had manipulated the oracles Fulcrum looked at, which didn’t count as a failure of the smart contract itself, in Nexus Mutual’s documentation." Only "two claims worth approximately $31,000 were paid out, according to the company."
The bZx team "acted to delist the whitelisted tokens on the oracle token registry, which was not protected by a timelock." "The team identified a safeguard that was bypassed. There was a safety check that did not fire, caused by a logic error in flagging the loan as overcollateralized. Overcollateralized loans don’t involve swaps, which bypasses the final slippage check." They "addressed the condition that prevented the check from firing in the first place by requiring the check to take place even in the case of overcollateralized loans. The ETHBTC margin tokens were delisted from the oracle token registry. [They] implemented maximum trade sizes to limit the possible scope of any attack."
"Chainlink announced it would be helping bZx upgrade its systems, taking advantage of Chainlink’s recently launched “meta oracle.”"
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| February 14th, 2020 12:00:00 AM | First Event | This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
It is unknown how much was recovered.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Smart contract auditing is helpful to reduce issues, however it is not a silver bullet. Contracts which have been tested over a longer time period are less likely to contain exploits. However, decentralized trading carries risks, and recovery is never guaranteed.
References
Almost $1 Million Of ETH Compromised Following Two Attacks On DeFi Protocol bZx (Jun 21)
Post-Mortem (Jun 21)
Yields of 25% to 42% Lure Lenders Back to DeFi Platform bZx - CoinDesk (Jun 21)
DeFi Insurance Firm Nexus Mutual Makes Its First Payout Following bZx Attacks - CoinDesk (Jun 21)
Chainlink's Sergey Nazarov on What DeFi Can Learn From Early Exchange Hacks (Jun 21)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 19)
SlowMist Hacked - SlowMist Zone (May 17)
Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 21)
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 22)
bZx Hack Full Disclosure (With Detailed Profit Analysis) | by PeckShield | Medium (Jun 22)
Bzx Hack Full Disclosure With Detailed Profit Analysis (Jun 25)
PeckShield Inc. - bZx Hack Analysis Exposes Challenging DeFi-Inherent Composable Liquidity Risks (Jun 25)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Jun 25)
Bzx Flash Loan Event (Jun 25)
Crypto Margin Trading with Fulcrum | bZx (Jun 25)
audits/bzx-audit.pdf at master · mattdf/audits · GitHub (Jun 25)
Introducing Fulcrum Tokenized Margin Made Dead Simple (Jun 25)
Fulcrum Trade - bZx Decentralized Lending & Margin Trading (Jun 25)
What is bZx? A 3-minute guide to the defi trading platform - Decrypt (Jun 25)
Comprehensive List of DeFi Hacks & Exploits - CryptoSec (Jan 8)
No Title (Jan 9)