QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$8 100 000 USD
SEPTEMBER 2020
GLOBAL
BZX
DESCRIPTION OF EVENTS

"In yet another jolt to the decentralized finance (DeFi) community, margin, and leverage-based lending and trading platform, bZx became the target of another hack. In the hack, which was much bigger than the previous attacks, hackers made away with $8 million worth of cryptocurrencies." "This time hackers drained a little more over $8 million worth of cryptocurrencies leveraging a duplication bug that enabled them to make away with 219,199.66 LINK, 4,502.70 ETH, 1,756,351.27 USDT, 1,412,048.48 USDC, 667,988.62 DAI." "On delving deeper, bZx’s official incident report reveals that a loophole in the ‘transferFrom() function’ that enables the transfer of ERC20 tokens from one protocol to the other was leveraged by hackers." "It was possible to call this function to create and transfer an iToken to yourself, allowing you to artificially increase your balance." "Two audit firms, Peckshield and Certik, failed to pick up the flawed smart contracts code. Peckshield responded, saying: “One audit cannot guarantee to find all potential issues, but with continuous work from developers and auditors, we are getting ever closer to the goal of minimizing security risks.”"
"bZx officially tweeted that at 3:28 am Eastern time (15:30, September 13th, Beijing time), we began to study the decline in TVL of the agreement. By 6:18 AM EST (18:30, September 13th, Beijing time), we confirmed that several iTokens had repeated incidents. Lending is temporarily suspended. The duplicate method has been patched from the iToken contract code, and the agreement has resumed normal operation. According to the information of the founder of Compound, there are a total of US$2.6 million in LINK, US$1.6 million in ETH, and US$3.8 million in stablecoins, with a total of US$8 million in assets affected. 1inch co-founder Anton Bukov tweeted that the attacker had stolen about 4,700 ETH in this incident and attached the address of the stolen funds. In response, bZx said that the funds are currently not at risk. The funds listed have been deducted from our insurance fund. On September 16, bZx released an iToken repeat incident report, and the attacker has returned all funds."
"Bzx noticed the security breach some hours later and immediately halted minting and burning of iTokens. Trading resumed after a fix that corrected the balances and duplications." "No funds are at risk. Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows." "Past experience led bZX to create an insurance fund to cover for these “black swan events,” and the stolen coins were thus debited on the fund, which receives 10% of the protocol’s revenue through interest rates." "The bZX team told Cointelegraph that the hacker returned the money..., saying, “The attacker was tracked and identified due to their on-chain activity, he came forward shortly after this and returned the funds stolen.”"
The bZx protocol has now been hacked 3 times. The previous 2 times were in February 2020.
In this case, no funds were ultimately lost as the hacker returned the funds.
HOW COULD THIS HAVE BEEN PREVENTED?
In general, storing the majority of funds in a hot wallet (aka smart contract) is not a good idea. More secure forms of storage exist, particularly cold storage with multiple signatures of reputable trained individuals to remove funds.
In this case, no funds were ultimately lost as the hacker returned the funds.
DeFi Protocol bZx Hacked Again: $8 Million Worth of ETH, LINK, Stablecoins Drained (Updated) (Sep 13)
Defi Protocol Bzx Loses $8.1 Million in Third Hack This Year | News Bitcoin News (Sep 13)
DeFi platform bZX sees new $8M hack from one misplaced line of code (Sep 13)
SlowMist Hacked - SlowMist Zone (May 17)
Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 21)
bZx Recovers $8.1M Lost in Third Exploit | Crypto Briefing (Jun 26)
No Title? (Jan 10)
