DeFi lending protocol bZx exploited, may lose up to $350,000. The attacker used multiple DeFi protocols to lend and swap significant quantities of Ether and wrapped Bitcoin (WBTC) — a token on the Ethereum blockchain that tracks the price of Bitcoin (BTC) — in a way that allowed him to manipulate the prices and profit off of a decentralized leveraged trade.

The attacker first took loaned 10,000 Ether (ETH) from decentralized lending protocol dYdX, then used 5,500 ETH ($1.46 million) to collateralize a 112 wrapped Bitcoin (WBTC) loan (over $1 million) on DeFi protocol Compound.

At this point, the attacker sent 1,300 ETH (over $372,000) to decentralized margin trading ETH to open a 5x leveraged position on the ETH/BTC pair on bZx’s Fulcrum trading platform and borrowed 5,637 ETH through Kyber’s Uniswap and swapped them for 51 WBTC, causing large slippage.

This, in turn, allowed the attacker to profit from swapping the 112 WBTC from Compound to 6,671 ETH, resulting in a profit of 1,193 ETH (nearly $318,000). The hacker finally paid back the 10,000 ETH loan on dYdX that he took before.

According to an in-depth analysis of the attack, the transaction with which the attacker opened the leveraged trade should have been prevented by safety checks, but those checks did not fire due to a bug in bZx’s smart contract. The team behind the protocol has announced that the bug has been patched.