February 18, 2020 marked a watershed moment for decentralized finance when bZx, an Ethereum-based lending protocol, was exploited for the second time in a single week. The attacker made off with approximately $630,000 worth of ether, exposing critical vulnerabilities in the nascent DeFi ecosystem and raising urgent questions about the security of flash loan mechanisms, oracle reliability, and the broader robustness of decentralized financial infrastructure.
TL;DR
- bZx exploited for the second time in one week, losing $630,000 worth of ETH
- The attacker used flash loans to manipulate price feeds on bZx’s Fulcrum lending platform
- The first attack, days earlier, netted approximately $350,000 in profit
- Flash loans from dYdX provided the attacker with 10,000 WETH (roughly $3 million) with zero upfront capital
- The incidents sparked industry-wide debate about DeFi security standards and oracle design
How Flash Loans Enabled the Attack
The bZx exploits represented the first major real-world demonstration of flash loan attacks in decentralized finance. Flash loans, a feature unique to DeFi, allow users to borrow enormous sums of cryptocurrency with no collateral — provided the loan is repaid within the same transaction. If the loan is not repaid, the entire transaction is reversed as if it never happened.
In the second attack on February 18, the attacker borrowed a massive amount of Wrapped ETH (WETH) through a flash loan from the dYdX lending platform. The borrowed capital — approximately 10,000 WETH, worth around $3 million at the time — was then used to manipulate the price feed on Fulcrum, bZx’s lending portal. By exploiting a vulnerability in the way Fulcrum relied on a single price oracle, the attacker was able to open significantly under-collateralized positions and extract $630,000 in ether before the transaction completed and the flash loan was repaid.
The second attack was technically distinct from the first. While the initial exploit on February 15 involved manipulating Kyber Network’s reserves to profit from price discrepancies, the February 18 attack centered on swapping ethereum for Synthetix USD (sUSD), a synthetic dollar-pegged stablecoin, to further distort price feeds.
bZx’s Response and Industry Fallout
Kyle Kistner, bZx’s chief visionary officer and operations lead, acknowledged the attack on the project’s Telegram channel, describing the flash loan hack as “completely tractable” — suggesting the vulnerability could have been prevented with better oracle design and price feed redundancy.
The back-to-back exploits sent tremors through the broader DeFi community. Total value locked in DeFi protocols at the time was still measured in the hundreds of millions rather than the billions it would later reach, and the bZx incidents demonstrated that even well-audited smart contracts could harbor exploitable design flaws when they interacted with other protocols in unexpected ways.
The attacks also ignited a fierce debate within the Ethereum community about whether flash loans themselves were the problem, or whether the real issue lay in protocols that relied on single-source price oracles and failed to implement adequate safeguards against manipulation.
The Broader DeFi Security Landscape
The bZx incidents were among the earliest examples of what would become a recurring pattern in DeFi: composability — the ability of different protocols to interact with one another — creating emergent vulnerabilities that were difficult to anticipate during individual protocol audits. An attacker could chain together interactions across multiple platforms (dYdX for flash loans, Kyber for swaps, bZx for lending) in a single atomic transaction, exploiting the interconnected nature of the ecosystem.
With Bitcoin trading at approximately $10,142 and Ethereum at $281.94 on the day of the second attack, the broader cryptocurrency market remained relatively stable despite the DeFi-specific disruption. However, the incidents underscored a fundamental tension in the rapidly growing DeFi space: the pursuit of permissionless, composable financial infrastructure was moving faster than the security frameworks needed to protect it.
Why This Matters
The bZx flash loan attacks of February 2020 were a defining moment for decentralized finance. They demonstrated that DeFi’s greatest strength — the ability to compose financial instruments from modular, interoperable protocols — was also its greatest vulnerability. The attacks catalyzed a wave of security improvements across the ecosystem, including the adoption of decentralized oracle networks like Chainlink, the implementation of time-weighted average price (TWAP) feeds, and more sophisticated circuit breakers. The lessons learned from bZx would prove invaluable as DeFi grew from hundreds of millions to hundreds of billions in total value locked. Yet the fundamental tension between innovation speed and security rigor remains at the heart of every DeFi protocol built today.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency and DeFi investments carry significant risk. Always conduct your own research before making investment decisions.
two attacks in one week on the same protocol should have been a wake up call for the entire defi security space
flash loans from dydx giving attackers zero risk capital to exploit protocols was a design flaw that took too long to address
630k in the second attack after already losing 350k days earlier shows bzx had zero risk management
oracle manipulation was the root cause here decentralized price feeds were still in their infancy in early 2020