$8 100 000 USD

SEPTEMBER 2020

GLOBAL

BZX

DESCRIPTION OF EVENTS

"In yet another jolt to the decentralized finance (DeFi) community, margin, and leverage-based lending and trading platform, bZx became the target of another hack. In the hack, which was much bigger than the previous attacks, hackers made away with $8 million worth of cryptocurrencies." "This time hackers drained a little more over $8 million worth of cryptocurrencies leveraging a duplication bug that enabled them to make away with 219,199.66 LINK, 4,502.70 ETH, 1,756,351.27 USDT, 1,412,048.48 USDC, 667,988.62 DAI." "On delving deeper, bZx’s official incident report reveals that a loophole in the ‘transferFrom() function’ that enables the transfer of ERC20 tokens from one protocol to the other was leveraged by hackers." "It was possible to call this function to create and transfer an iToken to yourself, allowing you to artificially increase your balance." "Two audit firms, Peckshield and Certik, failed to pick up the flawed smart contracts code. Peckshield responded, saying: “One audit cannot guarantee to find all potential issues, but with continuous work from developers and auditors, we are getting ever closer to the goal of minimizing security risks.”"

 

"bZx officially tweeted that at 3:28 am Eastern time (15:30, September 13th, Beijing time), we began to study the decline in TVL of the agreement. By 6:18 AM EST (18:30, September 13th, Beijing time), we confirmed that several iTokens had repeated incidents. Lending is temporarily suspended. The duplicate method has been patched from the iToken contract code, and the agreement has resumed normal operation. According to the information of the founder of Compound, there are a total of US$2.6 million in LINK, US$1.6 million in ETH, and US$3.8 million in stablecoins, with a total of US$8 million in assets affected. 1inch co-founder Anton Bukov tweeted that the attacker had stolen about 4,700 ETH in this incident and attached the address of the stolen funds. In response, bZx said that the funds are currently not at risk. The funds listed have been deducted from our insurance fund. On September 16, bZx released an iToken repeat incident report, and the attacker has returned all funds."

 

"Bzx noticed the security breach some hours later and immediately halted minting and burning of iTokens. Trading resumed after a fix that corrected the balances and duplications." "No funds are at risk. Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows." "Past experience led bZX to create an insurance fund to cover for these “black swan events,” and the stolen coins were thus debited on the fund, which receives 10% of the protocol’s revenue through interest rates." "The bZX team told Cointelegraph that the hacker returned the money..., saying, “The attacker was tracked and identified due to their on-chain activity, he came forward shortly after this and returned the funds stolen.”"

The bZx protocol has now been hacked 3 times. The previous 2 times were in February 2020.

 

In this case, no funds were ultimately lost as the hacker returned the funds.

HOW COULD THIS HAVE BEEN PREVENTED?

In general, storing the majority of funds in a hot wallet (aka smart contract) is not a good idea. More secure forms of storage exist, particularly cold storage with multiple signatures of reputable trained individuals to remove funds.

 

In this case, no funds were ultimately lost as the hacker returned the funds.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.