In the past week, an anonymous market manipulator instigated a sophisticated\u00a0arbitrage attack\u00a0against the bZx decentralized finance lending protocol, netting the "bad actor or group" an estimated $350,000 worth of ETH. In the days that followed, bZx suffered a separate Oracle-based attack. The suspect this time, whose method of attack mirrors that of the previous attack, garnered approximately $650,000 in ETH.\u00a0\u00a0 \u200bbZx is a lending and margin trading protocol on Ethereum, atop which Fulcrum is a front-end project that offers these bZx services at its core. The method utilized for the alleged heist was not an unauthorized intrusion across these projects and others, but rather a complex arbitration-like opportunity.\u00a0The trader followed the rules of the said contract and loan system. They "apparently" exploited a\u00a0logic bug\u00a0in the smart contract intended to check that all positions end up safe.\u00a0They took advantage of the low liquidity markets employed clear market manipulation tactics.\u00a0 \u200bBoth incidents involve a case of flash loans, a new type of Decentralized Finance (DeFi) primitive that allows users to conduct sophisticated sequences of financial activities within a single transaction. In simpler terms, these flash loans permit users to create a loan produced once it has been paid back, all in one transaction.\u00a0This benefit makes flash loans a powerful tool and is subsequently one the crypto-economy now regards to be a double-edged sword.\u00a0 Flash Loans are marketed as "risk-free" because they leverage the ability of the\u00a0Ethereum blockchain\u00a0to execute atomic transactions. This safeguard means that if the Flash Loan fails because the executor does not return enough funds, the transaction is reversed.\u00a0These flash loans enable merchants to take out a contract with no backing in which they take away the desire for collateral in the loan. Arbitrageurs use flash loans to stay on the side of good deals, which they code to hold out calculated arbitrage trades: the simultaneous shopping for and promoting of belongings in numerous markets. Investigations into the event suggest an attacker or group of attackers used an Aave flash loan to borrow 10,000 ETH from the dYdX protocol.\u00a0The small trove was then used to launch the DeFi attack.\u00a0 \u200bThe attacker put half of those funds into the Compound lending dApp, with which they borrowed 112 WBTC, a tokenized ERC20 version of Bitcoin. In a separate move, the suspect went to the bZx protocol and shorted WBTC on margin. And to depreciate the price, the agent sold borrowed WBTC on Uniswap, which cause the token price to tank, thus satisfying the bZx short effectively. The attacker, consequently, paid back the Aave loan and profited by some $350,000.\u00a0\u00a0 \u200bAll events in the narrative occurred within a single transaction with no original collateral needed. It was both an ingenious and nefarious move, and would possibly lead to further speculation and uncertainty in the DeFi community in the future. \u200bFollowing the bZx assault, the DeFi sector reported a significant loss in locked-up belongings, falling an estimated $140 million from a peak of $1.2 billion on February 18. Weeks previous to the assaults, DeFi boasted a milestone $1 billion in whole locked-up assets. This deterioration was particularly noticeable in locked Ether, with total losses around 200,000 ETH, according to\u00a0analytics. \u200bThe DeFi movement is still in its early stages while the market remains on the road to maturity. Still, the sector is working without enough sandbox, an omission that could undoubtedly trigger more hiccups down the road.\u00a0Developers can avoid these scenarios by exercising a thorough smart contract auditing process. In the aftermath, the bZx team has taken precautionary measures to defend against new assaults while DeFi stakeholders are now on high alert to further nefarious attempts against even larger-scale projects.