So called decentralized finance (defi) lending platform Bzx on Sunday lost $8.1 million in a new hacking attack, the third this year, caused by a flawed code in its smart contracts.
The bug allowed the hacker to mint 219,200 LINK tokens (valued at $2.6 million); 4,503 ETH ($1.65 million); 1,756,351 USDT ($1.76 million); 1,412,048 USDC ($1.4 million) and 667,989 DAI (worth $681,000).
Marc Thalen, lead engineer at Bitcoin.com, first discovered the vulnerability in the smart contracts and reported it to Bzx, warning $20 million was at risk.
In a statement, Bzx co-founder Kyle Kistner said that the defective code permitted an attacker to duplicate assets or even increase the balance of the protocol’s interest-bearing token called iTokens.
Bzx noticed the security breach some hours later and immediately halted minting and burning of iTokens. Trading resumed after a fix that corrected the balances and duplications.
Kistner detailed that investor funds faced no risk as they were promptly compensated. He said:
No funds are at risk. Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.
Thalen exploited the faulty code himself, generating a loan of 100 USDC. “From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD,” he tweeted.
Two audit firms, Peckshield and Certik, failed to pick up the flawed smart contracts code. Peckshield responded, saying: “One audit cannot guarantee to find all potential issues, but with continuous work from developers and auditors, we are getting ever closer to the goal of minimizing security risks.”
This is the third time that Bzx has been attacked in 2020. Two separate attacks in February cost the protocol just under $1 million. Founded in 2017, Bzx is a decentralized protocol built on the Ethereum blockchain for lending and trading with margin and leverage.
What do you think about the recurring hacks at Bzx? Let us know in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons