Smart Contract Security Newsletter #32

Published in

ConsenSys Diligence

3 min readFeb 24, 2020

This issue of the newsletter was sent out on Feb 19, 2020. If you would like to receive the newsletter hot and fresh, sign up here.

Distilled News

bZx / Flashloans Shenanigans Roundup

https://twitter.com/kermankohli/status/1228817561220812800

Over the weekend, someone made a single epic transaction that linked together multiple different defi protocols, taking advantage of a bug in the bZx protocol’s “Fulcrum” margin trading to walk off with a profit of roughly $360k in ETH. Then just yesterday a second transaction exploited bZx for a profit of $645k.

For the first attack, Palkeo’s analysis and walkthrough is the best we’ve seen. Unfortunately there really isn’t much analysis available at the time of writing, we’ll make sure to summarize it in the next letter.

If you’d like to read more, here’s a selection of links to get you going:

Post-Mortem — bZx.network’s blog after the first attack
bZx tweets following the second attack — Twitter
bZx Hack full Disclosure (with detailed profit analysis) — PeckShield
bZx attacked again, $645K in ETH estimated to be lost — TheBlock
Sam Sun’s writeup of a September 2019 bug in bZx, which was apparently similar to the one used in the second attack

One particularly interesting implication here is that a DeFi attack will often be more profitable the more money you put into it. Flashloans make this capital readily available to an attacker, allowing them to get a greater payout for their effort. Haseeb Qureshi outlines this in a twitter thread.

Developers sometimes assume that if an attacker requires $1m to attack a system it would be noticeable on chain, this is particularly true with governance schemes. However with a flash loans the total duration of the attack would be in seconds, and no real resources are needed by the attacker. Here’s a scary thread discussing this scenario applied to MakerDAO.

Vulnerability disclosure — Tornado Cash

Last week, Tornado Cash warned users about a vulnerability on their app. Here’s more detail about it, it was mainly an information leakage to the third-party services used in their UI, which leaked user’s private note if “Share URL” was used by the user.

Anatomy of a Bridge Reserve Smart Contract Vulnerability — Kyber Network

SamCZSun strikes again by discovering a vulnerability in Kyber’s reserve manager smart contract. Read more about the vulnerability affecting Kyber-run DEX bridge reserves and how they fixed it.

Surrogeth: Tricking frontrunners into being transaction relayers — lsankar4033

Why create your own relay network from scratch, when bots are already scanning the mempool for simple transactions they can make money on.