1inch.exchange Says Fulcrum Was Aware of Vulnerabilities 1 Month Before Attack
A decentralized exchange aggregator has alleged that Fulcrum, the company behind the bZx exchange, has been aware of vulnerabilities in its code at least a month before it suffered two consecutive hacks that drained $2.5 million from its funds.
bZx, an Ethereum-based lending project from Fulcrum, might have known about the bugs in its system that enabled attackers to draw almost $1 million worth of ETH from the platform. A decentralized exchange (DEX) aggregating website called 1inch.exchange reportedly discovered a critical bug in Fulcrum’s Flash Loan feature back in January, but the exchange failed to react and resolve the problem.
According to 1inch.exchange’s Medium post, the bug allowed $2.5 million of users funds on bZx to be stolen in a single transaction. The company said that there was a very high chance malicious actors would exploit the bug in the smart contract and decided to warn the exchange about the impending disaster.
“It took nearly 4 hours for the Fulcrum team to manage the issue, and we got no details from the team about the progress. Additionally, the deployment of the fix took another 12 HOURS, because of special system upgrade timelock in the smart contract. So there were 16 hours during which anyone could steal $2.5M.”
1inch.exchange then said that Fulcrum refused to pay them an “industry-standard” bug bounty for discovering the vulnerability and asked them to sign a non-disclosure agreement (NDA) so the information won’t be leaked to the public.
However, Fulcrum denied hiding the vulnerabilities from its clients, with the co-founder of bZx Kyle Kistner telling The Block that 1inch.exchange violated their disclosure policy by publishing the blog post.
bZx is currently in the process of doing a post mortem on the attack, which is scheduled to be published at the end of February.
Earlier this week, bZx, an Ethereum-based lending project from Fulcrum, fell victim to two attacks that drained around $2.5 million worth of ETH from the company.
However, the crypto community seems divided on whether to call it a malicious attack, as further investigation into the matter showed that the “attackers” used a complex trading maneuver to exploit bugs in bZx’s Flash Loan feature.
According to an investigation by DeFi Pulse, the attackers took out a 7,500 ETH loan and used half of it to purchase sUSD stablecoin. The stablecoins were then put in as collateral for another 6,796 ETH loan, and the remaining funds of the first loan were used to bid up the value of sUSD through the Kyber Network.
The attackers then used the freshly inflated collateral to pay back the original 7,500 ETH loan, withdrawing the remaining 2,378 ETH, or around $633,000. The first attack bZx saw last week exploited a similar bug and extracted $350,000 worth of ETH.