On 14th Feb, I wrote an article giving a quick explanation on Blockchain Oracles. On 18th Feb, bZx suffered a second attack that resulted in a USD 630k loss, and the cause was probably an Oracle manipulation. Following is a quick explanation on how the Oracle manipulation took place, but if you need a quick primer on Blockchain Oracles, you can read my earlier article here.   

As mentioned in my previous article, the Blockchain Oracle provides information to a smart contract to trigger certain actions. For the bZx attack, what purportedly happened was that the Oracle was exploited to provide data that resulted in profits for the attackers. 

Basically the weakness of bZx was that it only relied on 1 Oracle for its price feed when determining how much a loan was worth. By manipulating this single price feed Oracle, the attackers managed to use their funds from a flash loan  -- a loan that requires no collateral as it is borrowed for the purposes of opening and closing a position immediately, usually for arbitrage trades -- to drive up the price of the sUSD stablecoin to USD 2 instead of the usual pegged rate of USD 1. 

Through the use of the inflated sUSD, the attackers were able to get away with 2,378 ETH, which is worth about USD 630k. Note that this is just a very summarised account of the attack to highlight how a Blockchain Oracle was manipulated. 

To mitigate such risks, smart contracts should seek for consensus in certain high risk use-cases from either a robust single Oracle or multiple Oracles. For this instance, bZx could have taken a composite price feed from a single Oracle or relying on multiple Oracles who are connected to price feeds. Having access to multiple price feeds one way or another will average out the impact of any single errant price feed. Of course, the underlying price feeds should also be from exchanges that have significant liquidity, otherwise manipulation will still be possible.