Connect with us
Active Currencies 14771
Market Cap $2,537,436,863,931.80
Bitcoin Share 51.45%
24h Market Cap Change $-0.95

bZx hacked again as Duplication bug costs protocol $8M in user deposits

2min Read

Share this article

Decentralized Finance “lending” protocol, bZx, is not having a good year. Seven months after bZx was hit by two major hacks that saw the protocol lose over $954K, it is in the headlines again after yet another bug was exploited. This time, the losses have been as high as over $8M in user deposits or 30% of bZX’s Total Value Locked.

In fact, the sharp drop in TVL was what first caught the attention of bZx’s developers, with a tweet going on to say that, “we confirmed that a duplication incident had occurred with several of the iTokens.” While lending and unlending were soon paused and the iToken contract code patched up, the hackers in question were able to exploit the said bug for the aforementioned amount.

bZx soon followed up these updates with a post-mortem report of its own, claiming that the duplication bug in question was patched up soon after it was audited by Peckshield and Certik, two very prominent security firms. It should be noted, however, that bZx was quick to clarify that,

Interestingly, according to Marc Thelan, Lead Engineer at, the team behind bZx may have been slow to tackle the issue at hand. Thelan claimed,

By the time the rest of the team was up and the info was passed on, he said, “the attacker I noticed had drained substantial amounts of Dai and USDC.” According to the developer, “the complete pool could have been drained if the attacker had a bit more time.”

The incident, once again, raises the question of how safe user assets are on DeFi protocols. However, despite the bad press, many were quick to come to bZx’s defense. According to Aave Protocol Founder Stani Kulechov,

“@bZxHQ incident recently showed that it’s easier forked than done. They had multiple audits, formal verification and took substantial time before coming back to main-net and yet all the diligence does not guarantee safety. Something that every DeFi user should understand.”

Another user commended bZx’s transparency, tweeting,

“I really respect that.
Another hack, but another refund.
Innovation can be costly sometimes, but the team stands strong and protects consumers.
Some will say “that’s DeFi, get rekted”. Not bZx.”


Jibin is Editor-in-Chief at AMBCrypto. With over three years of experience as a political writer, he primarily focuses on the political impact of crypto developments. A graduate in Law and International Relations, his writing is by and large focused on cryptocurrencies from the political and financial perspective. A Liverpool FC fan. YNWA
Read the best crypto stories of the day in less than 5 minutes
Subscribe to get it daily in your inbox.
Please check the format of your first name and/or email address.

Thank you for subscribing to Unhashed.