DeFi What?? $360,000 in ETH Lost As Intruder Manipulates Fulcrum

An anonymous individual made a jaw-dropping move by manipulating Ethereum-powered decentralized finance (DeFi) app, Fulcrum, to pocket $360,000 worth of ETH.

The breach reportedly took advantage of the recently invented flash loan feature on DeFi apps, where a single transaction is designed to lend and borrow assets for arbitrage ETH trading on exchanges.

However, the breach was only discovered when Fulcrum was taken down for maintenance, while  Kyle Kistner, a team member, disclosed the news about the exploitation causing the loss of a portion of Fulcrum’s ETH.

Flashloan Single Transaction in Details

Flashloans is a new DeFi app feature that allows users to borrow assets without requiring you to put down any collateral, but this is on a condition of paying it back in the same transaction.

To get a flashloan, the individual needs to code a smart contract that tells the Ethereum network that there only intent is to send the borrowed asset to one exchange to buy at a lower price after that sell it at a higher price on a different exchange.

The network can execute such transactions because the exchanges are open source, and this is what the hacker took advantage of spending only $8.71 in a single transaction containing the execution command for the flashloan.

First, the individual acquired a flash loan of 10,000 ETH worth about $3million from trading platformDyDx.

He then sent half to Compound (a DeFi loan protocol) and a half to bZx exchange (another Defi app). He borrowed 112WBTC (wrapped BTC) with the Compound half and with the bZx half, short 112WBTC. Then he sent the 112WBTC from Compound to Uniswap to sell at a lower price. 

By doing this, the anonymous person made a profit from the short, from which he finally paid back the 10,000 ETH loan.

Until now, it was believed that such types of loans could not be exploited because of the certainty of smart contract execution, but the current development has revealed that the smart contract could be written with malicious intent to game DeFi protocols.

bZx Tightens Up to Avoid Future Exploitations

While the latest development called the integrity of DeFi apps into questions, the bZx exchange, which provides the Fulcrum product used by the attacker, says they have deployed a contract upgrade, which they believe will make their system more robust against actions like this in the future. 

3/ We have deployed a contract upgrade that we believe will make our system more robust against these type of actions in the future. The upgrade is currently being processed through our timelock. It will pass through in the next 12 hours. At that time we hope to restart the UI.

— bZx (@bzxHQ) February 15, 2020

bZx has also promised to publish an official report on the development later today, after which Coinfomania will update this article.

Meanwhile, the breach though yet unknown to many, could have contributed to the decline in the market value of ETH during the weekend. Despite the cryptocurrency ending the previous week on a high, at the time of writing, ETH was trading at exactly $250, marking a seven percent decline in the last 24 hours.