Unpatched Vulnerabilities Continue! Lending platform bZx suffers another attack, estimated losses around 8 million USD.
Since being hacked in February this year and suffering losses of nearly $640,000, the decentralized lending protocol bZx has been underperforming, and its user base has been steadily decreasing due to the widespread adoption of liquidity mining mechanisms in the decentralized finance (DeFi) space. Just when people were almost forgetting about this platform, bZx has once again made headlines.
Table of Contents
iToken Vulnerability
bZx was once again hacked yesterday (13th), resulting in losses of up to $8 million, which accounts for 30% of the total locked assets on bZx. According to Marc Thelan, the Chief Developer of Bitcoin.com, he was the first to discover the contract vulnerability and alerted the team to immediately halt the contract functions.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc (@0x000000000marc) September 14, 2020
In a tweet, Marc Thelan stated that he discovered suspicious on-chain transactions on the bZx platform. Following the attacker's steps, he deposited 100 USDC into the platform as collateral, minted 100 iUSDC, and sent these 100 iUSDC to his own address. Normally, if the sending and receiving addresses are the same, the balance should not change. However, due to the contract vulnerability, the address balance went from 100 iUSDC to 200 iUSDC, allowing Marc Thelan to successfully exchange it back for 200 USDC. In other words, the contract vulnerability allowed iToken to be duplicated.
Marc Thelan immediately warned the bZx team, stating that the attacker had drained a significant amount of Dai and USDC from the liquidity pool through this vulnerability. He added that if the attacker had more time, the entire pool could have been drained.
Platform Risks Cannot Be Ignored
The assets lost in this attack include Ethereum (ETH), Chainlink (LINK), USDC, and DAI, totaling an estimated $8 million in losses. Although the insurance fund behind the platform fully compensated for this loss, the emergency fix and contract restart by the bZx team after suspending the contract were not well received by the founder of Compound, who stated:
"Please pause all contract functions until all audits and analysis are thoroughly completed. Don't just brush it off with a 'no big deal.' This is not how you handle hackers."
If I understand correctly, bZx lost:
$2.6m of $LINK
$1.6m of $ETH
$3.8m of stablecoins
——
$8.0mPlease, please pause operations until this can be re-audited and thoroughly analyzed–instead of saying "no big deal".
This is NOT how you respond to a hack 🚨 https://t.co/CqZltmNt1o
— 🤖 Leshner (@rleshner) September 14, 2020
This incident once again highlights the importance of user asset security in DeFi protocols, and users themselves should not overlook the contract risks of platforms. As Stani Kulechov, the founder of the Aave protocol, stated:
"The @bZxHQ incident shows that forking a project is easier than building one from scratch. These codes have undergone multiple audits and verifications and took quite some time to go live. However, even so, absolute security cannot be guaranteed, and this is something every DeFi user should understand."
Related
- Sub-Saharan Africa Emerges as a Key Driver in the Cryptocurrency Market, Chainalysis: DeFi and Stablecoins Play Crucial Roles
- TON lockup value plunges by 53%, Telegram DeFi protocol assets hemorrhage, TON staking decreases
- Will the Magic Eden Wallet issue the ME token, can Diamonds be cashed out in the end?