Decentralized lending protocol bZx was hacked again; $ 350k USD stolen

In addition to having to deal with their limited use and the distrust of conventional financial institutions, enthusiasts of the decentralized economy also face cybercrime. According to cybersecurity specialists, the decentralized lending protocol bZx was hacked twice in a matter of days, incidents that resulted in the loss of more than $900k USD.

The administrators’ report mentions that the protocol was attacked on February 14, while the security team was at an ETHDenver event. On the other hand, the second attack was recorded during the early hours of this Tuesday, February 18.

Cybersecurity specialists say threat actors employed various decentralized finance protocols to conduct unauthorized transactions on Bitcoin and Ethereum. To begin with, the attackers borrowed 10,000 Ethereum units from the dYdX loan protocol. Out of that 10,000 ETH, 5,500 (about $1.4M USD) were used as collateral to obtain a loan of 112 Bitcoin (more than $1M USD) in the decentralized Compound protocol. This fraud scheme represented a loss of more than $300k USD. The operators of this protocol mentioned that the flaw exploited by the threat actors has already been corrected.

On the other hand, cybersecurity specialists are still unclear about how the second incident was deployed, although a potential cause is an oracle manipulation attack, which are centralized components that provide external data to applications chain.

The only thing traders have been able to confirm is that the second attack resulted in losses of about $640k USD, although they have mentioned that it is possible to neutralize the security flaw and prevent asset loss. Finally, the operators claim that bZx will switch to the use of oracles based on the supposedly safer Chainlink protocol.

According to the International Institute of Cyber Security (IICS), the inability to track most cryptocurrency transactions is a double-edged sword because, while this feature protects users’ privacy, it can also be exploited by hackers who steal digital assets without the possibility of recovering them.