DeFi Lending Protocol bZx gets HACKED for the third time

Investigation showed that bZx's initial source code works incorrectly when _from equals to _to which led to losses worth around 4,700ETH.

By · Sep 14, 2020 . 6min read

DeFi protocol bZx hack latest news

The news of bZx, an open-source lending marketplace getting hacked for the third time since it went live on Ethereum mainnet hit the crypto space yesterday. This is barely 7 months since the first and second time it was hacked.

The latest hacking incident, bZx posted that it was due to a bug that was exploited by an attacker to duplicate iToken contract code when was then used to siphon funds from the lending protocol. In the tweet, bZx said;

1/ At 3:28 AM EST we began investigating a drop in the protocol TVL. By 6:18 AM EST we confirmed that a duplication incident had occurred with several of the iTokens.

2/ Lending and unlending was temporarily paused. The duplication method has been patched out of the iToken contract code, and the protocol has resumed normal functioning. Folded hands

More details will follow!

Anton Bukov co-founder of decided to dig deeper to give an independent assessment of what happened. In a tweet thread, Bukov’s investigation showed that bZx’s initial source code works incorrectly when _from equals to _to. This led to the funds duplication earlier put out by bzX lending protocol on why it was hacked. In addition to that, Bukov says he found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated. The total fund’s lost was around 4,700ETH, which is $1.7 million at ETH’s present rate.

DeFi lending protocol bZx gets HACKED for the third time
Hacker’s transactions from Anton Bukov’s independent investigation

bZx issues an official statement on how its lending protocol was hacked

Hours after bZx alerted its community about the hacking incident; it has published an official report on what happened. While the report quells any concerns as to the solvency of the lending protocol to cover the losses, it still corroborates Bukov’s investigation earlier. In summary, the hack was due to the bug in the _from and _to address which the hacker exploited.

bZx’s incident report went further to show how much was added to the insurance fund to ensure nobody’s fund is affected.

The following debts have added to the insurance fund are:

  • 219,199.66 LINK
  • 4,502.70 ETH
  • 1,756,351.27 USDT
  • 1,412,048.48 USDC
  • 667,988.62 DAI

Even with heavyweight smart contract security firms like Peckshield and Certik auditing bZx’s code, the hacking incidents seems to be unending. In the earlier hack incidents, losses totalling around $954,000 occurred.

Follow Cryptodose for more updates. 

         All News