10 Quick and Dirty Facts about the bZx Hacks

February 27, 2020
Quantstamp Announcements

10 Quick and Dirty Facts about the bZx Hacks


These facts are brought to you by Quantstamp, a leading DeFi security company. 

#1  The 1st hack used Tornado Cash to stay anonymous (source)

#2  The 2nd hack used ShapeShift to stay anonymous (source 1) (source 2) . 

#3  Both hacks were each carried out in a single atomic transaction (attack 1) (attack 2).

#4  5 money legos and over 25 contracts were used in the 1st hack (source).

The first hack interacted with 5 different protocols (Kyber, Uniswap, dYdx, bZx and Compound) and over 25 smart contracts; this highlights the massive composability of these money legos. This all took place in a single transaction.  

#5  Flash loans were used in both hacks, but they worked as intended. 

Flash loans were never exploited. Their purpose in the attacks were to provide the attackers with enough capital to produce massive slippage in low liquidity DEX markets.  

#6  The 1st attack was not an oracle attack. 

Uniswap was targeted in the 1st attack, but Uniswap was targeted because it was vulnerable to slippage, not because it was used as a price oracle. 

#7  The 2nd bZx attack was an oracle attack. 

bZx made the mistake of calculating the value of collateral within their system using DEX price oracles. The attacker took advantage of this by causing massive slippage in sUSD DEX markets in order to temporarily inflate the value of sUSD calculated within the bZx system. Once the attacker took out the loan, the position was instantly “underwater” because of the inflated value of the collateral. 

#8  Each hack left an underwater position open in bZx. 

A loan is underwater when the value of the collateral is not enough to cover the outstanding debt of the loan. The 1st bZx hack instantly left a position underwater by approximately 640,000 USD worth of cryptocurrency. The 2nd bZx hack instantly created a position that was underwater by approximately  800,000 USD. 

#9  bZx’s flash loan was used in the 2nd hack  

In the second attack, the attacker used bZx’s flash loan feature. The first attack used dYdX’s flash loan feature.

#10  These hacks may have been conducted by two different people. 

There is no evidence that these attacks were conducted by the same person. 

--

For more Quantstamp news or anything QSP crypto or QSP coin related, check out Quantstamp Reddit and QSP Twitter.



Quantstamp Announcements
February 27, 2020

10 Quick and Dirty Facts about the bZx Hacks


These facts are brought to you by Quantstamp, a leading DeFi security company. 

#1  The 1st hack used Tornado Cash to stay anonymous (source)

#2  The 2nd hack used ShapeShift to stay anonymous (source 1) (source 2) . 

#3  Both hacks were each carried out in a single atomic transaction (attack 1) (attack 2).

#4  5 money legos and over 25 contracts were used in the 1st hack (source).

The first hack interacted with 5 different protocols (Kyber, Uniswap, dYdx, bZx and Compound) and over 25 smart contracts; this highlights the massive composability of these money legos. This all took place in a single transaction.  

#5  Flash loans were used in both hacks, but they worked as intended. 

Flash loans were never exploited. Their purpose in the attacks were to provide the attackers with enough capital to produce massive slippage in low liquidity DEX markets.  

#6  The 1st attack was not an oracle attack. 

Uniswap was targeted in the 1st attack, but Uniswap was targeted because it was vulnerable to slippage, not because it was used as a price oracle. 

#7  The 2nd bZx attack was an oracle attack. 

bZx made the mistake of calculating the value of collateral within their system using DEX price oracles. The attacker took advantage of this by causing massive slippage in sUSD DEX markets in order to temporarily inflate the value of sUSD calculated within the bZx system. Once the attacker took out the loan, the position was instantly “underwater” because of the inflated value of the collateral. 

#8  Each hack left an underwater position open in bZx. 

A loan is underwater when the value of the collateral is not enough to cover the outstanding debt of the loan. The 1st bZx hack instantly left a position underwater by approximately 640,000 USD worth of cryptocurrency. The 2nd bZx hack instantly created a position that was underwater by approximately  800,000 USD. 

#9  bZx’s flash loan was used in the 2nd hack  

In the second attack, the attacker used bZx’s flash loan feature. The first attack used dYdX’s flash loan feature.

#10  These hacks may have been conducted by two different people. 

There is no evidence that these attacks were conducted by the same person. 

--

For more Quantstamp news or anything QSP crypto or QSP coin related, check out Quantstamp Reddit and QSP Twitter.



Get your DeFi app secured by Quantstamp
Secure Now!
Get your DeFi app secured by Quantstamp
Secure Now!
Quantstamp Announcements

Monthly Hacks Roundup: March 2024

March was a volatile month for the web3 security landscape, with significant security breaches totalling over $152 million in losses. Read on as we dive into four major security incidents and the trends from last month 👇

Read more
Quantstamp Announcements

Modular Account: How Audits Can Help Shape Standards And Catalyze Mass Adoption

Quantstamp recently conducted a smart contract audit for Alchemy’s Modular Account, a wallet implementation designed from the ground up for ERC-4337 and ERC-6900 compatibility including two plugins

Read more
Quantstamp Announcements

Quantstamp 2023 Web3 Security Year In Review

As the year comes to a close, we wanted to take a moment to reflect on this year’s biggest hacks, root causes, and noteworthy trends.

Read more
Services
AuditsInfrastructure AuditsEconomic ExploitsInsuranceDeFi Protection
Resources
Audit ReportsAudit Readiness Guide
About
BlogTeamMediaCareers
Back to Top
Follow
Quantstamp logo

Request an Audit

Quantstamp works with a wide variety of teams ranging from new DeFi protocols to established enterprises. 

Share some details about what you’re building and someone from our team will reach out as soon as possible. We appreciate your interest and look forward to hearing about your project!

Close
We received your request successfully

Thank you for expressing your interest in a smart contract audit. You will receive a confirmation email from us and our team will be in touch with you within the next few days.

In the meantime, please consider getting your code and documentation ready in accordance with the Audit Readiness Checklist.

Close
Oops! Something went wrong while submitting the form.
Quantstamp logo

Contact Our Press Team

Are you interested in writing about Quantstamp or learning more about us? 

Fill out the form and we will contact you shortly. We look forward to meeting you.

High-caliber team
Stellar track record
Chain agnostic
Strategic partnerships
Close
We received your request successfully

Thank you for contacting our press team. We will get in touch with you in the next few days.

Close
Oops! Something went wrong while submitting the form.
Quantstamp logo

Contact Us

Let us know how you would like to collaborate with us.

Close
Success
We received your request successfully

Thank you for expressing your interest in Quantstamp. We will contact you as soon as we review your message.

Close
Oops! Something went wrong while submitting the form.