bZx DeFi Protocol Suffers $8 Million Loss as Attacker Exploits Token Duplication Vulnerability
5
2
Key highlights:
- DeFi lending protocol bZx suffered a $8 million loss
- The attacker exploited a vulnerability that allowed them to duplicate bZx's "iTokens"
- The attack was first discovered by Bitcoin.com engineer Marc Thalen
Attacker takes off with $8 million worth of crypto from DeFi protocol bZx
bZx, a decentralized lending protocol built on the Ethereum blockchain, lost $8 million worth of crypto assets after an attacker exploited a vulnerability in its smart contract. The bug allowed users to duplicate the “iTokens” that are used by bZx. iTokens like iETH, iBAT etc. represent their holders’ share in the bZx lending pool for their respective cryptocurrency.
Marc Thalen, an engineer at Bitcoin.com, was the first to notice the attack and attempted to inform the bZx team and explain what was happening. Although he could not reach them initially, Thalen eventually managed to get in touch with the team, who decided to pause the bZx contracts. Thalen will receive a bug bounty as compensation for his efforts, although it’s unclear how large it will ultimately be (according to Thalen, the bZx’s security panel’s current recommendation is $12,500).
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc Thalen (@MarcThalen) September 14, 2020
Before the smart contracts were halted, the attacker managed to drain LINK, ETH, USDT, USDC and DAI totaling about $8 million in value. The lost funds have been added as debt to bZx’s insurance fund. In a blog post describing the incident, bZx’s Kyle Kistner says that user funds are not at risk due to the vulnerability.
“No funds are at risk. Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.”
However, not everyone is convinced that the vulnerability poses no risk for bZx’s users. Compound founder Robert Leshner says bZx is “deeply insolvent”:
Essentially non existent.
— ? Leshner (@rleshner) September 14, 2020
The protocol is deeply insolvent, and they are relying on sweet-talking users into thinking it’s OK.
bZx has had similar issues in the past
This is not the first attack suffered by the bZx protocol. The protocol already incurred losses to the tune of $950,000 from two exploits earlier this year in February. Following the exploits in February, bZx commissioned audits from Certik and PeckShield, although the auditors apparently didn’t catch the vulnerability that led to the most recent attack.
The protocol’s BZRX token took a big hit after news of the exploit started circulating, losing 32.2% of its value in the last 24 hours.
5
2