DeFi Lender bZx Loses $8M in Third Attack This Year

DeFi Lender bZx Loses $8M in Third Attack This Year

September 14, 2020

Decentralized finance (DeFi) protocol bZx has fallen victim to yet another attack after a bug in its code allowed someone to mint tokens they redeemed for cryptocurrencies on the protocol.

  • Co-founder Kyle Kistner told CoinDesk they noticed something was wrong on Sunday when a single LINK withdrawal led to a $2.6 million drop in the protocol’s total value locked (TVL).
  • The attack basically centered around the protocol’s interest-earning iToken that users receive and redeem for crypto deposited into lending pools.
  • Kistner said the attacker exploited a bug that tricked bZx into minting unbacked iTokens they subsequently exchanged for cryptocurrencies held in the pools.
  • Per an incident report Sunday, the attacker managed to steal just under 220,000 LINK tokens, 4,507 ETH, 1.76 million USDT, 1.4 million USDC and 670,000 DAI.
  • At current spot prices, this works out as a loss of just over $8 million.
  • That’s much more than the $630,000 and $350,000 hacks the protocol suffered in February, which both manipulated oracle price feeds in order to pay back bZx loans for far less than the actual amount.
  • bZx paused the protocol in the aftermath of Sunday’s attack so the bug could be patched, but resumed operations hours later.
  • Kistner said the decision was taken in consultation with security experts, who had not instructed them to shut down for any longer.
  • He added that the $8 million lost had already been debited by the protocol’s insurance fund and will be paid out once the bZx community had ratified it.
  • The bug managed to remain undetected in two extensive code audits from cybersecurity firms Certik and Peckshield
  • Kistner declined to comment on the identity of the hacker.

See also: DeFi Project dForce Refunds All Affected Users After $25M Hack

Subscribe to First Mover, our daily newsletter about markets.

Source: Read Full Article