Ethereum-based lending platform Fulcrum lost $ 350,000 due to a flaw in a smart contract, DeFi was called
The Fulcrum-based Ethereum lending platform has become victim of a malicious attack. The attack occurred between February 14 and 15 when attackers took advantage of the flaw in the platform’s lending protocol.
Flash loan single transaction manipulation, Feb 2020
What is Flashloans?
Flashloans is the latest building block, a code-based operation where you get money without any condition because your code ensures it will be returned after 15 seconds (one block). For flash loans, all actions must be performed in one transaction. So you have to program all the steps into a smart contract transaction: loan, work, repayment. If you do not eventually return, the transaction will fail, and nothing will happen.
So the contract gives you say 10,000 ETH from the beginning. If it does not eventually have 10,000 ETH, then it fails because the nodes perform internal transactions and revert the entire change if it fails. So the accountants, the buttons, look at this code, and if eventually, 10,000 ETH is returned, they execute it and publish it, so turn it into the live system. If instead, the execution of all these open-source actions showed that 10,000 ETH was not returned, then they didn’t publish it.
However, this is not the only invention in the decentralized financial space. Fulcrum is an example when it comes to super liquidity. But eventually, something went wrong.
The attack occurred in several stages. First, the attacker borrowed 10,000 ETH flash. He then used half of the ETH to get another loan in Bitcoin (wBTC) wrap through Compound protocol. The other half of ETH went to Fulcrum as collateral for wBTC betting. The attacker is betting that the price of wBTC will be shortened. The attacker then poured wBTC into Uniswap and caused the price to fall to profit from the short-term money on Fulcrum and pay off the original flash loan.
2/ Full details and bZx’s post-mortem have not been released yet. However, the community believes this tx was the inciting tx: https://t.co/e4cCaZ4xZh
– A complex single-transaction exploit utilizing a 10k ETH flash loan from dYdX, half placed into Compound and half into Fulcrum pic.twitter.com/xDhYWwamdP
— DeFi Pulse ? (@defipulse) February 15, 2020
The Fulcrum platform has been shut down while investigations are underway. Fulcrum is a UX-focused dapp for lending and trading that was launched in June 2019. Dapp uses a decentralized bZx protocol that allows its native dapps to trade and margin loans and leverage.
bZx provides details after death
The attack on Fulcrum is complicated for many reasons. The company behind this platform, bZx, participated in a hackathon with the Ethereum community. As a result, the reaction of bZx has been delayed.
1/ ⚠️ Mini-thread on the Fulcrum situation ⚠️
TLDR:
– @bzxHQ took Fulcrum down for maintainence late last night
– Shortly after, team member Kyle Kistner disclosed that an exploit caused the loss of a portion of Fulcrum’s ETH
– Fulcrum contract is frozen, remaining funds are safe pic.twitter.com/TLUnbxLooh— DeFi Pulse ? (@defipulse) February 15, 2020
BZx co-founder Kyle Kistner stated on February 15. Kistner noted that there was a breach of the contract, and that part of ETH was lost in the process. Loan contracts have been suspended for all activities. Kitstner stated that no money was compromised, but did not give a specific number of lost money. It is estimated that the attacker could have made a profit of $ 350,000 in ETH.
The company behind bZx said that due to the complexity of the transaction, it takes time to understand exactly what the losses are. Moreover, they claim that the attacks are not just a swap in Uniswap and that bZx does not use Uniswap as propaganda.
BZx declares:
“We have implemented contract upgrades that we believe will make our system stronger against these types of actions in the future. The update is currently being processed through our time table. It will pass over in the next 12 hours. At that time, we hope to restart the user interface.”
The company reiterates that users are not losing money. bZx also revealed that the attacker left 600.000 wBTC as collateral:
3/ There is currently 600k of wBTC collateral left by the attacker. We will be using this to stream interest and exit liquidity to existing iETH holders. This will be done using our admin key. This is an extremely difficult decision for us that we don’t take lightly.
— bZx (@bzxHQ) February 15, 2020
It is estimated that Fulcrum will be back online at 10:30 PM MTS. They will then publish a more detailed report of the attack and its complexity. However, the company has been criticized by many Fulcrum users. Some require more transparency about events, and others criticize the use of administrative keys. This mechanism gives bZx full control over the contract at Fulcrum.
The funny thing is that after Charlie Lee, Litecoin’s co-founder, spoke out about the incident, he was laughed at by a Twitter user.
you forgot to mention that it was about ETH DeFi.
you sure wouldn’t say so about DeFi on your friend Justin’s platform TRON, right he-he?— ? (@peengueen94) February 16, 2020
However, it seems that Lee later tried to remedy embarrassment by saying that DeFi works on any platform also not good.
DeFi doesn’t work on any platform.
— Charlie Lee [LTC⚡] (@SatoshiLite) February 16, 2020
Read more:
- What If Ethereum In Its Role Of Investment Asset May Serve As A Hedge, Diversifier, Or A Safe-Haven Asset For Investors?
- Vitalik Buterin: 51% Of The Attacks Could Be Addressed By Timeliness Detectors On Ethereum 2.0