bZx exploit: Former Google engineer explains how an attacker made $350K in single transaction

Quick Take

  • Former Google engineer Korantin Auguste has explained how bZx lost funds in a recent attack 
  • Auguste estimates that the attacker profited $350,000  
  • Notably, Auguste said that it was not an Oracle bug

Korantin Auguste, a former Google software engineer, has explained in detail a recent attack on decentralized finance (DeFi) project bZx.

In a blog post published Monday on his personal website Palkeo, Auguste said an attacker borrowed 10,000 ETH (currently worth about $2.49 million) from dYdX, a non-custodial exchange for margin trading.

The attacker then sent 5,000 ETHs to DeFi lending protocol Compound and borrowed 112 wrapped bitcoins (WBTC), an ethereum-based token backed 1:1 by bitcoin, to pull off the attack.

Next, the attacker sent 1300 ETHs to bZx to open a 5x short position for WBTC. "This call opens a Fulcrum position, shorting ETH against WBTC with a x5 leverage. This position is on 1300 ETH (huge)," said Auguste.

bZx then internally converted 5637 ETH to 51 WBTC through a Kyber order routed to Uniswap. The attacker converted the 112 WBTC to 6871 ETH on Uniswap. Then they sent back the 10,000 ETH to DyDx.

“The attacker exploited a bug in bZx that caused it to trade a huge amount on Uniswap, at a 3x inflated price,” said Auguste, adding that the attacker was able to sell 112 WBTC for 6871 ETH because “the Uniswap supply is all distorted.”

The attacker ended up with 71 ETH, but that is not their “pure arbitrage profit,” said Auguste. “They ended up the transaction with a Compound position having 5500 ETH of collateral and only 112 wBTC borrowed. This is around 350k$ worth of equity in Compound.”

Put simply, a “logic bug” in bzX’s coding caused a loss of equity of around $620,000 for the protocol and around $350,000 worth of profit for the attacker, said Auguste. “It’s the mere fact of opening their huge position that caused a leak of funds from bZx to Uniswap, that they exploited."

Notably, Auguste said that it was not an Oracle bug, but rather a vulnerability. 

He also said that the equity loss from bZx and the money the attacker made don’t add up because "the attacker possibly didn’t maximize their profit, and they left Uniswap completely unbalanced after their attack. A lot of bots then rushed to make a profit out of it."

bZx tweeted yesterday that users will occur no losses as it will compensate them. The project is expected to release a detailed analysis at 5pm MST (i.e. 7pm EST) today. The Block will post a story accordingly.


(Please note that Auguste's blog post has been unpublished for now. Auguste told The Block that he will put it back online after bZx publishes their analysis).


© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.