Decentralized finance (DeFi) protocol, bZx, was at the end of another security exploit this weekend after the team confirmed the loss of approximately $8 million worth of cryptocurrencies.
The loss was a result of a bug that allowed hackers to duplicate several iTokens on the platform, before eventually cashing out. The team says it has patched the duplication method out of the iToken contract code, while the protocol has resumed normal functioning.
⚠️ 📢 UPDATE:
1/ At 3:28 AM EST we began investigating a drop in the protocol TVL. By 6:18 AM EST we confirmed that a duplication incident had occurred with several of the iTokens.
— bZx (@bZxHQ) September 13, 2020
1inch.exchange co-founder, Anton Bukov, spotted the nine transactions in which the hacker duplicated 101,778 $iETH tokens (worth 4761 ETH) and moved to a new ETH address. The funds are yet to move at the time of reporting.
Additionally, the hackers made away with approximately 219,200 LINK tokens, 1.75M USDT, 1.4M USDC, and 667.9K DAI.
Meanwhile, the team has made affected users whole from its insurance fund, meaning that “the debt will be wiped clean and the protocol will move forward unimpeded.”
But the latest exploit may be worrying to onlookers since it follows two earlier audits on the bZx protocol. As stated by the team in a postmortem report, audits are not “silver bullets” to shield the protocol from such incidents.
Leading security firms Peckshield (which audited the Multi-collateral DAI (MCD) contracts for MakerDAO) and Certik have audited the bZx protocol in the wake of other security breaches this year.
BZRX drops 40%
While the team has promised to reimburse affected users, holders of the project’s native token, BZRX, still have to contend with a 40% drop in the portfolio’s value following the incident this week. At the time of writing, BZRX traded at a $0.43 price, with a market cap of $62.4 million.
Data from DeFi Pulse also shows that some 979.3 ETH (appr. $495,000) is still locked in the protocol, a stark contrast from the start of September when $2.3 million worth of tokens were locked in.
Undoubtedly, security exploits such as the latest on bZx reiterate the recent remarks by Ethereum co-founder, Vitalik Buterin, that people are underestimating DeFi risks.
In a subsequent update, bZx revealed that it had recovered the stolen funds by tracking down the hacker via on-chain analytics.
Update: This report has been updated to reflect the actual amount the hackers stole as a result of the exploit and also that the funds have now been recovered.