Victor Ugochukwu · Dec 14, 2020 . 5min read
DeFi Lending Protocol bZx gets HACKED for the third time
Investigation showed that bZx's initial source code works incorrectly when _from equals to _to which led to losses worth around 4,700ETH.
By Victor Ugochukwu · Sep 14, 2020 . 6min read
The news of bZx, an open-source lending marketplace getting hacked for the third time since it went live on Ethereum mainnet hit the crypto space yesterday. This is barely 7 months since the first and second time it was hacked.
The latest hacking incident, bZx posted that it was due to a bug that was exploited by an attacker to duplicate iToken contract code when was then used to siphon funds from the lending protocol. In the tweet, bZx said;
1/ At 3:28 AM EST we began investigating a drop in the protocol TVL. By 6:18 AM EST we confirmed that a duplication incident had occurred with several of the iTokens.
2/ Lending and unlending was temporarily paused. The duplication method has been patched out of the iToken contract code, and the protocol has resumed normal functioning. Folded hands
More details will follow!
Anton Bukov co-founder of 1inch.exchange decided to dig deeper to give an independent assessment of what happened. In a tweet thread, Bukov’s investigation showed that bZx’s initial source code works incorrectly when
_from equals to
_to. This led to the funds duplication earlier put out by bzX lending protocol on why it was hacked. In addition to that, Bukov says he found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated. The total fund’s lost was around 4,700ETH, which is $1.7 million at ETH’s present rate.
bZx issues an official statement on how its lending protocol was hacked
Hours after bZx alerted its community about the hacking incident; it has published an official report on what happened. While the report quells any concerns as to the solvency of the lending protocol to cover the losses, it still corroborates Bukov’s investigation earlier. In summary, the hack was due to the bug in the _from and _to address which the hacker exploited.
bZx’s incident report went further to show how much was added to the insurance fund to ensure nobody’s fund is affected.
The following debts have added to the insurance fund are:
- 219,199.66 LINK
- 4,502.70 ETH
- 1,756,351.27 USDT
- 1,412,048.48 USDC
- 667,988.62 DAI
Even with heavyweight smart contract security firms like Peckshield and Certik auditing bZx’s code, the hacking incidents seems to be unending. In the earlier hack incidents, losses totalling around $954,000 occurred.
Follow Cryptodose for more updates.