bZx protocol suffers a third attack and loses $8 million

Last Updated on 14 September 2020 by CryptoTips.eu

The bZx decentralized finance loan protocol just suffered a massive attack. Losses reach around $8 million. This comes seven months after it fell victim to two code flaws, which costed the protocol over $950,000.

A flaw in the bzX protocol code

On September 12, 2020, the bZx protocol was the victim of a new attack on its protocol which resulted in a token duplication incident. 

It all started when the bZx team noticed strange movement from the Total Locked Value (TVL) in it’s protocol. Specifically, the TVL had stopped drastically within a short time leading developers to question the trend. 

They quickly shared the information on Twitter, confirming that a duplication incident had occurred with a couple of the iTokens. These tokens correspond with a 1:1 ratio to the underlying assets deposited in the protocol.

Although the loan and withdrawal operations were halted and the iTokens contract code was corrected, the attackers managed to exploit the bug.

The losses are considerable with the hackers duplicating about $8.1 million worth of tokens. The duplication is broken down as follows:

  • 219,000 LINK (approximately $ 2,628,000)
  • 4,503 ETH (approximately $ 1,637,000)
  • 1,756,000 USDT
  • 1,412,000 USDC
  • 668,000 DAI

As bZx clarified in a second tweet, user funds “are not in danger”, with the tokens having been debited from the protocol’s insurance fund and not from user wallets.

A project audited by two companies

The bZx protocol had been extensively audited by two security companies, Peckshield and Certik. The Peckshield audit lasted 12 weeks, the same duration as the audit carried out for MakerDAO while that of the Certika audit represented 7 weeks of work.

Unfortunately, this was not enough to close this recent flaw in the bZx protocol. The project team explains that the presence of this flaw was due to the size of its code:

Our protocol is the best performing and most functional loan protocol in the industry, which means there is a lot of code to cover. Part of it is its scope and ambitions that make it more difficult to secure than many other projects.

Despite wide criticism of bZx, some key players in the crypto space came to its defense. This is particularly the case of Stani Kulechov, founder of the Aave protocol, who spoke on Twitter about the uncertainty many projects face despite multiple checks. 

This incident is a reminder of why auditing of codes is an important aspect of Decentralized Finance. Before investing in a protocol, it is strongly recommended that you wait for it to be audited by specialized companies which provides a form of security. 

Although the bZx team assures that everything is now under control, the confidence of the crypto community in this protocol is at an all-time low. This attack is already the 3rd of the year against bZx, and it is hard to believe its ability to provide a truly secure service.

However, with the scale of this attack, it is possible that bZx will take measures to address this flaw, in particular by having its code re-audited by other companies.