Deutsch한국어 日本語中文EspañolFrançaisՀայերենNederlandsРусскийItalianoPortuguêsTürkçe
Portfolio TrackerSwapBuy CryptoCryptocurrenciesPricingWalletNewsEarnBlogNFTWidgetsCoinStats MidasDeFi Portfolio Tracker24h ReportPress KitAPI Docs

bZx DeFi Protocol Suffers $8 Million Loss as Attacker Exploits Token Duplication Vulnerability

4y ago
bullish:

5

bearish:

2

image

Key highlights:

  • DeFi lending protocol bZx suffered a $8 million loss
  • The attacker exploited a vulnerability that allowed them to duplicate bZx's "iTokens"
  • The attack was first discovered by Bitcoin.com engineer Marc Thalen

Attacker takes off with $8 million worth of crypto from DeFi protocol bZx

bZx, a decentralized lending protocol built on the Ethereum blockchain, lost $8 million worth of crypto assets after an attacker exploited a vulnerability in its smart contract. The bug allowed users to duplicate the “iTokens” that are used by bZx. iTokens like iETH, iBAT etc. represent their holders’ share in the bZx lending pool for their respective cryptocurrency. 

Marc Thalen, an engineer at Bitcoin.com, was the first to notice the attack and attempted to inform the bZx team and explain what was happening. Although he could not reach them initially, Thalen eventually managed to get in touch with the team, who decided to pause the bZx contracts. Thalen will receive a bug bounty as compensation for his efforts, although it’s unclear how large it will ultimately be (according to Thalen, the bZx’s security panel’s current recommendation is $12,500).

Before the smart contracts were halted, the attacker managed to drain LINK, ETH, USDT, USDC and DAI totaling about $8 million in value. The lost funds have been added as debt to bZx’s insurance fund. In a blog post describing the incident, bZx’s Kyle Kistner says that user funds are not at risk due to the vulnerability.

“No funds are at risk. Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.”

However, not everyone is convinced that the vulnerability poses no risk for bZx’s users. Compound founder Robert Leshner says bZx is “deeply insolvent”:

bZx has had similar issues in the past

This is not the first attack suffered by the bZx protocol. The protocol already incurred losses to the tune of $950,000 from two exploits earlier this year in February. Following the exploits in February, bZx commissioned audits from Certik and PeckShield, although the auditors apparently didn’t catch the vulnerability that led to the most recent attack. 

The protocol’s BZRX token took a big hit after news of the exploit started circulating, losing 32.2% of its value in the last 24 hours. 

4y ago
bullish:

5

bearish:

2

Manage all your crypto, NFT and DeFi from one place

Securely connect the portfolio you’re using to start.