bZx protocol suffers a third attack and loses $8 million
Last Updated on 14 September 2020 by CryptoTips.eu
The bZx decentralized finance loan protocol just suffered a massive attack. Losses reach around $8 million. This comes seven months after it fell victim to two code flaws, which costed the protocol over $950,000.
A flaw in the bzX protocol code
On September 12, 2020, the bZx protocol was the victim of a new attack on its protocol which resulted in a token duplication incident.
It all started when the bZx team noticed strange movement from the Total Locked Value (TVL) in it’s protocol. Specifically, the TVL had stopped drastically within a short time leading developers to question the trend.
They quickly shared the information on Twitter, confirming that a duplication incident had occurred with a couple of the iTokens. These tokens correspond with a 1:1 ratio to the underlying assets deposited in the protocol.
2/ Lending and unlending was temporarily paused. The duplication method has been patched out of the iToken contract code, and the protocol has resumed normal functioning. ?
— bZx (@bZxHQ) September 13, 2020
More details will follow!
Although the loan and withdrawal operations were halted and the iTokens contract code was corrected, the attackers managed to exploit the bug.
The losses are considerable with the hackers duplicating about $8.1 million worth of tokens. The duplication is broken down as follows:
- 219,000 LINK (approximately $ 2,628,000)
- 4,503 ETH (approximately $ 1,637,000)
- 1,756,000 USDT
- 1,412,000 USDC
- 668,000 DAI
As bZx clarified in a second tweet, user funds “are not in danger”, with the tokens having been debited from the protocol’s insurance fund and not from user wallets.
A project audited by two companies
The bZx protocol had been extensively audited by two security companies, Peckshield and Certik. The Peckshield audit lasted 12 weeks, the same duration as the audit carried out for MakerDAO while that of the Certika audit represented 7 weeks of work.
Unfortunately, this was not enough to close this recent flaw in the bZx protocol. The project team explains that the presence of this flaw was due to the size of its code:
Our protocol is the best performing and most functional loan protocol in the industry, which means there is a lot of code to cover. Part of it is its scope and ambitions that make it more difficult to secure than many other projects.
Despite wide criticism of bZx, some key players in the crypto space came to its defense. This is particularly the case of Stani Kulechov, founder of the Aave protocol, who spoke on Twitter about the uncertainty many projects face despite multiple checks.
@bZxHQ incident recently showed that it's easier forked than done. They had multiple audits, formal verification and took substantial time before coming back to main-net and yet all the diligence does not guarantee safety. Something that every DeFi user should understand.
— stani.eth ? (@StaniKulechov) September 13, 2020
This incident is a reminder of why auditing of codes is an important aspect of Decentralized Finance. Before investing in a protocol, it is strongly recommended that you wait for it to be audited by specialized companies which provides a form of security.
Although the bZx team assures that everything is now under control, the confidence of the crypto community in this protocol is at an all-time low. This attack is already the 3rd of the year against bZx, and it is hard to believe its ability to provide a truly secure service.
However, with the scale of this attack, it is possible that bZx will take measures to address this flaw, in particular by having its code re-audited by other companies.