bZx Hack Full Disclosure (With Detailed Profit Analysis)

Figure: Five Arbitrage Steps in bZx Hack

Five Exploitation Steps For Arbitrage

The culprit transaction is 0xb5c8bd9430b6cc87a0e2fe110ece6bf527fa4f170a4bc8cd032f768fc5219838, which was mined at 2020–02–15 01:38:57 +UTC at the block height #9484688. As shown in the above figure, this attack can be separated into five distinct steps: Flashloan Borrow, Hoard, Margin Pump, Dump, Flashloan Repay. In the following, we examine each specific step.

Figure 1: Flashloan Borrowing From dYdX
Figure 2: WBTC Hoarding From Compound
Figure 3: Margin Pumping With bZx (and Kyber + Uniswap)
Figure 4: WBTC Dumping With Uniswap

bZx Smart Contract Bug

The magic under the hood is the fact how the Uniswap WBTC/ETH was manipulated up to 61.4 for profit. As mentioned in Step 3, the WBTC/ETH price was even pumped up to 109.8 when the normal market price was at only around 38. In other words, there is an intentional huge price slippage triggered for exploitation. However, such a huge price slippage should cause the bZx position not fully collateralized. But why the under-collateralized position will be allowed in the first place, which naturally leads to the discovery of a hidden bug in the bZx smart contract implementation.

Figure 5: marginTradeFromDeposit()
Figure 6: _borrowTokenAndUse()
Figure 7: _borrowTokenAndUse()
Figure 8: _borrowTokenAndUseFinal()
Figure 9: bZxContract::takeOrderFromiToken()
Figure 10: bZxOracle::shouldLiquidate()

About us

PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store