DeFi lending protocol bZx exploit leads to a $1 million loss

bZx, a DeFi lending protocol, was hit with a series of exploits.

The attacks resulted in the loss of 3,581 ETH worth nearly $1 million.

Julien Bouteloup, founder of DeFi investment firm Stake Capital, explained that a smart trader under the pseudonym dYdX took a 10,000 ETH flash loan to borrow 112 wrapped BTC from Compound.

Following the exploit, bZx issued a statement claiming that users funds were not affected.

"We have made the following upgrades using the administrator key to prevent this attack from occurring again. First, we addressed the condition that prevented the check from firing in the first place by requiring the check to take place even in the case of overcollateralized loans. Second, the ETHBTC margin tokens were delisted from the oracle token registry. Third, we implemented maximum trade sizes to limit the possible scope of any attack."

The different upgrades were targeting multiple vulnerabilities on the DeFi lending protocol.

He was able to walk away with 2,388 ETH. Larry Cermak, director of research at The Block, said that the attacker took out a flash loan of 7,500 ETH to buy sUSD at a price close to $1 and deposited the funds on bZx to use as collateral.

The individual used 900 ETH to market buy sUSD on Kyber and Uniswap pushing the price to over $2. Once sUSD went up, the trader borrowed nearly 6,800 ETH against sUSD on bZx and repaid the flash loan.

bZx maintains that the second exploit is the result of an "Oracle manipulation attack".

These series of unfortunate events have opened up discussion in the crypto community regarding the high levels of centralization in DeFi applications and the danger of flash loans.