DeFi Protocol bZx Lost $8.1 Million in a Third Attack

4
0
Share:

bZx, a decentralized finance (DeFi) protocol on Ethereum (ETH) network, has recently lost around $8.1 million due to a faulty piece of code in its smart contracts.

The vulnerability in the smart contract code was first noticed by Bitcoin.com lead engineer Marc Thalen who then reported it to the bZx team.

The Most Diverse Audience to Date at FMLS 2020 – Where Finance Meets Innovation

In an official blog, bZx co-founder Kyle Kistner detailed that the flawed code was allowing an attacker to duplicate assets or even increase the balance of the platform’s interest-bearing token, iTokens.

The attacker exploited the bug to mint 219,200 LINK tokens (valued around $2.6 million), 4,503 ETH (valued around $1.6 million), 1,756,351.27 USDT, 1,412,048 USDC, and 667,989 DAI (with a market value of around $680,000).

Suggested articles

ATFX Sponsors Duke of Edinburgh World Cup Final for Third Consecutive YearGo to article >>

The protocol developer paused the minting and burning of iTokens hours after finding the vulnerability and then resumed them following the implementation of a fix that corrected the balances and duplications.

Before reporting, Thalen, himself, exploited the vulnerability by creating a loan with 100 USDC.

Kistner also highlighted that despite the heavy loss, the users of the protocol will be compensated from its insurance fund.

“No funds are at risk,” the official blog highlighted. “Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.”

Is DeFi too nascent to get the hype?

Founded in 2017, bZx developed a DeFi protocol creating an ecosystem of decentralized applications (DApps), including margin trading and lending platform, wallets, and many more.

It was attacked twice in February within days that resulted in a loss of around $945,000.

Kistner also pointed out that two independent audit firms, Peckshield and Certik, failed to identify the recent critical bug.