Last week an attacker used the newly launched Flash Loans feature in Fulcrum, bZx's lending and margin protocol, to exploit it twice within only a few days. The exploit caused significant loss to decentralized finance (DeFi) proponents, with the total losses estimated to be around $954,000. The hacker swapped a high amount of Ether and wrapped Bitcoin (WBTC) and made significantly high profits by manipulating their prices by taking advantage of decentralized leveraged trade.
The Attacks Begin...
The first attack happened when the hacker first picked a loan of 10,000 Ether. They then split the credit into two parts and used 5,500 Ether as collateral to pick another loan of 112 wrapped Bitcoin. The hacker next went short on WBTC and instead sold them on Uniswap. Since the bZx protocol utilizes the price feed provided by UniSwap, the price
manipulation done by the hacker left the exchange highly profitable for the hacker and significantly unprofitable for bZx.
The attacker successfully completed the second hack attack in a similar manner, this time by manipulating the price feed for Synthetix's USD on Kyber. Taking advantage of this manipulation, the hacker took out an extra 2378 ETH over and above the amount permitted based on collateral requirements.
For a company that has been in the market for only about a year, this is a significant loss, both monetarily as well as in terms of reputation. Further, the news of two significant attacks within a span of only a few days had lenders feeling worried, most of whom immediately withdrew their funds from the platform, delivering a significant blow to the available liquidity and causing the lending pool utilization to reach its maximum limit.
This has rendered any further withdrawals impossible at the moment as the remaining funds are locked in existing trades. Fulcrum has, at the moment, decided to shut down its trading protocol until it can fix these issues.
It Gets Worst....
A few days after, it was revealed by the team behind 1inch.exchange, that a month prior, they've identified a vulnerability in bZx's code that is able to steal $2.5 million worth of funds from the exchange. They then reached out to the Fulcrum team to let them know about the vulnerability as well as help them fix it. But in return the Fulcrum team not only stiffed them by paying them less than they promised in the Bug Bounty, but they also never informed their users of this incident.
Smart Contract to the Rescue
While the exchange is currently paused, and it's not possible to take out funds from the exchange directly. The team has created a DApp that interacts with the smart contract to exchange the iTokens (iETH, iDAI, iUSDC ect...) back to their original form. All you need is the same wallet that holds those iTokens with a web3 compatible browser like MetaMask, or TrustWallet. If you are using Ledger/Trezor, you can use them by connecting them to MetaMask.
How to Convert iTokens (iETH, iDAI, iUSDC) back to Original Token
- Click here to visit the iTokens Conversion Tool
- Choose which tokens you want to convert. iETH to ETH, iDAI to DAI or iUSDC to USDC
- Connect your Wallet
- Enter the amount to convert, and submit your transaction. After 2-3 confirmations, the original tokens will be back in your wallet.
This is really helpful. I was starting to think that my Ether is going to be stuck there forever. It's been over a week and the platform is still down. Is there a way to exit trades too? I dont want to get liquidated.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks for finding a fix to this mess. It worked! I can't believe how incompetent the team behind this platform is. Never using them again! So happy to have my funds out of here.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit