DeFi lending protocol bZx suffered another attack last night, the second in seven months.
This time, faulty code was blamed for an exploit that allowed hackers to duplicate assets, or increase their iTokens balance without the appropriate collateral.
Reports are circulating that hackers stole cryptocurrencies worth $8 million. But Anton Burkov, Co-founder of 1inch Exchange, analyzed the relevant DeFi explorer, removing duplicate items, as well as bZx “admin drainages”, to conclude those reports are greatly exaggerated.
According to Burkov, the amount lost to the duplication exploit is closer to $1.7 million. Further analysis carried out by Burkov pinpointed the exploit to nine transactions on the iETH lending token, worth approximately 4.7k Ethereum in total.
“We found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated (worth ~4.7K $ETH) // @DuneAnalytics”
In response to the exploit, bZx issued a statement saying investors are covered by an insurance fund paid for through treasury funds and protocol cashflow.
What’s more, in the statement, bZx spun the incident to demonstrate the soundness of the protocol.
“As we have demonstrated before, the system is capable of absorbing black swan events that would otherwise negatively impact lender assets. Thanks to a protocol design that anticipates and accounts for tail events, this incident is surmountable. The debt will be wiped clean and the protocol will move forward unimpeded.”
However, considering the number of high profile exploits and exits happening in DeFi of late, this latest exploit has done little to legitimize DeFi.
DeFi Hackers Exploit Duplication Bug
A postmortem of what happened shows several failings. Initially, Lead Developer at bitcoin.com, Marc Thalen, raised the alarm by tweeting his discovery of the DeFi duplication exploit.
However, due to time differences, no-one at bZx was able to respond straight away.
In the meantime, Thalen then went on to test the exploit himself. He said that he created a 100 USDC loan from which he was able to claim 200 iUSDC.
“2/4 I tried the exploit out. I created a loan using USDC (100 USD). From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD.“
By the time the bZx team was aware of the problem, the attacker had already drained a substantial amount of DeFi assets.
In response, bZx paused the minting and burning of iTokens as they investigated the claims. The team then applied a patch to the iTokens contracts, correcting duplicate balances at the same time.
Following that, normal activity resumed.
What Next For bZx?
The bZx protocol was attacked in February in a flash lending exploit. Attackers were able to steal $350k by manipulating the Uniswap price feed for wrapped Bitcoin.
However, bZx denies the incident came about as a result of using Uniswap price feeds.
At the time, bZx was ranked as the 7th largest protocol by total value locked (TVL). But following the flash lending exploit, it began slipping down in the DeFi rankings.
Today, defipulse.com ranks bZx as the 37th biggest by TVL, a substantial fall in standing.
In a bid to reassure DeFi investors, bZx Co-founders Tom Bean and Kyle Joseph Kistner will field questions about the incident later tonight.
But the real concern is whether today’s exploit will lead to a further drop in standing.
In terms of token price, BZX is down 30% on the day. However, will the duplication exploit lead to further price declines?
BZX daily chart with volume. (Source: tradingview.com)