Original link: https://medium.com/@slowmist/introduction-ca09c9b32b1b

Introduction

On Feb. 17, 2020, bZx was suspected of having suffered a second attack. The difference is that this time the target is the ETH/sUSD trade pair instead of WBTC/WETH, but some people may have doubts that “Is not sUSD a stablecoin against the USD?” “Can this be attacked?” “What is the specific attack method?” With such doubts, in response to this incident, the SlowMist security team will review the two attack processes in this article.

In the first attack, the attacker combined the Flash loan and loans in Compound to attack bZx protocol, which was mainly divided into the following steps:

1. Loan 100000 ETH from dYdX by Flash Loan
2. Borrow 112 WBTC from Compound with 5500 ETH
3. Short ETH in bZx with 1300 ETH of 5x leverage and get 51.345576 WBTC in return. And this WBTC/WETH price is provided by Kyber Network, which finally invokes Uniswap and gets the real price. After the 5x-leverage-borrow, the attacker actually raises the price of WBTC/WETH in Uniswap, to the exchange price 1/109, but the price of the broader market will not actually be raised so much
4. Dump the 112 WBTC borrowed from Compound, use 112 WBTC borrowed from Compound to sell in Uniswap. Since the 5x leverage in bZx in the third step has raised the price, it is definitely profitable to sell ETH at this time, and then sold 6871 ETH
5. Return 10000 ETH to dYdX

This time the attack is a little different from the previous one, but the core is to control the oracle and make a profit by manipulating the price of the oracle.

Attention: The WETH in the context below is same as ETH, and can be traded in 1:1.

In-Depth Analysis

The transction for this attack is:

0x762881b07feb63c436dee38edd4ff1f7a74c33091e534af56c9f7d49b5ecac15

Through the analysis on etherscan, we can see a bunch of inline token transfers in this transaction.

The attacker totally exchanged sUSD 20 times in these transactions, and finally left with profits. So, what did the attacker do? And how he did it? We can use the block explorer bloxy.info for further analysis.

1. Pregame

Same as the first time, the attacker must firstly loan some ETH from Flash Loan, The first attack was to borrow 10,000 ETH from dYdX and this time the attacker loaned 7500 ETH from Flash loan which is supported by bZx.

2、The Drive

After the borrowing from bZx, the attacker started to buy sUSD on Kyber, the attacker exchanged 92,419.7034 sUSD with 540 ETH firstly, which suddenly decreased the price of WETH/sUSD, and raised the price of sUSD/WETH. The exchange rate of WETH/sUSD for this transaction was about 1:170. And Kyber will finally invokes Uniswap, so at this time, the WETH/sUSD of Uniswap is at a low level, and conversely, sUSD/WETH increases.

After the first buy, the attacker again made 18 times small 20 ETH transactions to exchange sUSD with WETH. And by etherscan, we can see the return sUSD amount is decreasing each time.

This shows that the price of sUSD/WETH has been further increased, which reflected in Uniswap and was about to reach its limit. It was around 1:157 for WETH/sUSD at this time.

Now, the attacker has finished the preparation for hunting and was ready to start the attack.

3. Hole in One Shot

After raising the price of sUSD/WETH, the attacker needs to collect a large amount of sUSD at this time to prepare for the subsequent exchange of WETH. For this purpose, the attacker sent 6000 ETH to Synthetix to buy sUSD, and because the Sybthetix does not have enough sUSD, 2482 WETH was returned and now Synthetix Depot is depleted.

After completing the above operations, the attacker started the final attack and sent all sUSD(1099841) that was hoarded before to loan WETH in bZx, and because bZx needed to get the price of sUSD/WETH from Uniswap where the price was already artificially high, bZx sent 6796 WETH in return for 1099841 sUSD. At this point, the attacker finished his attack.

4.Return the Loan

After the attack, the attacker returned all 7500 ETH to bZx that was loaned before. Came from bZx and backed to bZx also caused bZx to suffer losses.

After the Attack

By analyzing the attacker’s attack methods, we counted the attacker’s expenditure and income during the attack

Income

7500 => bZx Flash Loan
+
2482 => Synthetix return
+
6796 => load WETH with sUSD in bZX
=
16778 ETH

Expenditure

540 + (20*18) => raise the price of sUSD/WETH
+
6000 => buy sUSD
+
7500 => return Flash Loan bZx
=
14400 ETH

Total Profit:16778–14400 = 2378 ETH

Defense Recommendation

The main reason for the two attacks was that the sharp changes in the price of Uniswap eventually led to the loss of assets. This should be normal market behavior, but by maliciously manipulating the market, attackers can reduce prices in various ways, causing the project party to cause losses. In response to such a profitable attack by manipulating the market, the SlowMist security team gives the following suggestions:

When using the oracle to obtain external prices, the project party should set up an insurance mechanism. Each time when the token is exchanged, the exchange price of the current trade pair should be saved and compared with the last saved exchange price. If the price fluctuates drastically, the trade should be suspended in time. Prevent the market from being manipulated maliciously and bring losses.

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！