10 Quick and Dirty Facts about the bZx Hacks

Quantstamp Announcements
February 27, 2020

10 Quick and Dirty Facts about the bZx Hacks


These facts are brought to you by Quantstamp, a leading DeFi security company. 

#1  The 1st hack used Tornado Cash to stay anonymous (source)

#2  The 2nd hack used ShapeShift to stay anonymous (source 1) (source 2) . 

#3  Both hacks were each carried out in a single atomic transaction (attack 1) (attack 2).

#4  5 money legos and over 25 contracts were used in the 1st hack (source).

The first hack interacted with 5 different protocols (Kyber, Uniswap, dYdx, bZx and Compound) and over 25 smart contracts; this highlights the massive composability of these money legos. This all took place in a single transaction.  

#5  Flash loans were used in both hacks, but they worked as intended. 

Flash loans were never exploited. Their purpose in the attacks were to provide the attackers with enough capital to produce massive slippage in low liquidity DEX markets.  

#6  The 1st attack was not an oracle attack. 

Uniswap was targeted in the 1st attack, but Uniswap was targeted because it was vulnerable to slippage, not because it was used as a price oracle. 

#7  The 2nd bZx attack was an oracle attack. 

bZx made the mistake of calculating the value of collateral within their system using DEX price oracles. The attacker took advantage of this by causing massive slippage in sUSD DEX markets in order to temporarily inflate the value of sUSD calculated within the bZx system. Once the attacker took out the loan, the position was instantly “underwater” because of the inflated value of the collateral. 

#8  Each hack left an underwater position open in bZx. 

A loan is underwater when the value of the collateral is not enough to cover the outstanding debt of the loan. The 1st bZx hack instantly left a position underwater by approximately 640,000 USD worth of cryptocurrency. The 2nd bZx hack instantly created a position that was underwater by approximately  800,000 USD. 

#9  bZx’s flash loan was used in the 2nd hack  

In the second attack, the attacker used bZx’s flash loan feature. The first attack used dYdX’s flash loan feature.

#10  These hacks may have been conducted by two different people. 

There is no evidence that these attacks were conducted by the same person. 


Get your DeFi app secured by Quantstamp
Secure Now!
March 31, 2020

Quantstamp Joins MyID Alliance

Quantstamp is proud to join the MyID Alliance, a Digital ID initiative by ICONLOOP. As the world moves towards more online and less face-to-face interactions, Digital ID will be a key enabling technology. 

March 24, 2020

Market Dynamics of the 1st bZx Hack: Flash Loans and the Insolvent Loan

In this series, we describe the market dynamics of the 1st bZx attack so we can avoid attacks with market manipulation components in the future.

March 13, 2020

Top 3 DeFi Trends

This post discusses how flash loans, zaps, and DeFi aggregators are leveraging composability in order to simplify the user experience and ultimately make DeFi markets hyper-efficient.

March 11, 2020

Bringing Bitcoin to DeFi

DeFi is blockchain’s first killer app, with assets locked up approaching $1 billion USD. But one major asset is missing: Bitcoin. Bitcoin is not only the first crypto asset, but the largest - with over $168 billion USD of Bitcoin in circulation it has deep pools of liquidity. It is one of the least volatile cryptocurrencies and has a large network of fiat on and off ramps. All these properties make it a great crypto-collateral. We think Bitcoin has the potential to transform the DeFi landscape as the most widespread and liquid asset available today.