bZx hacked again as Duplication bug costs protocol $8M in user deposits

Decentralized Finance “lending” protocol, bZx, is not having a good year. Seven months after bZx was hit by two major hacks that saw the protocol lose over $954K, it is in the headlines again after yet another bug was exploited. This time, the losses have been as high as over $8M in user deposits or 30% of bZX’s Total Value Locked.

In fact, the sharp drop in TVL was what first caught the attention of bZx’s developers, with a tweet going on to say that, “we confirmed that a duplication incident had occurred with several of the iTokens.” While lending and unlending were soon paused and the iToken contract code patched up, the hackers in question were able to exploit the said bug for the aforementioned amount.

bZx soon followed up these updates with a post-mortem report of its own, claiming that the duplication bug in question was patched up soon after it was audited by Peckshield and Certik, two very prominent security firms. It should be noted, however, that bZx was quick to clarify that,

> No funds are currently at risk. <

Those funds outlined have been debited against our insurance fund. Nobody currently using the protocol is in danger.

— bZx (@bZxHQ) September 13, 2020

Interestingly, according to Marc Thelan, Lead Engineer at Bitcoin.com, the team behind bZx may have been slow to tackle the issue at hand. Thelan claimed,

1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu

— Marc Thalen (@MarcThalen) September 14, 2020

By the time the rest of the team was up and the info was passed on, he said, “the attacker I noticed had drained substantial amounts of Dai and USDC.” According to the developer, “the complete pool could have been drained if the attacker had a bit more time.”

The incident, once again, raises the question of how safe user assets are on DeFi protocols. However, despite the bad press, many were quick to come to bZx’s defense. According to Aave Protocol Founder Stani Kulechov,

“@bZxHQ incident recently showed that it’s easier forked than done. They had multiple audits, formal verification and took substantial time before coming back to main-net and yet all the diligence does not guarantee safety. Something that every DeFi user should understand.”

Another user commended bZx’s transparency, tweeting,

“I really respect that.
Another hack, but another refund.
Innovation can be costly sometimes, but the team stands strong and protects consumers.
Some will say “that’s DeFi, get rekted”. Not bZx.”