- bZx, a DeFi lending protocol, was attacked once again last night and lost $8 million due to faulty code.
- Kyle Kistner, the bZx co-founder, told The Block that “it’s difficult to say” how this “critical” bug went unidentified by the protocol’s two audit firms Peckshield and Certik.
Decentralized Finance (DeFi) Lending protocol bZx was attacked once again last night and lost a little over $8 million due to a faulty code in its smart contracts.
The flawed code allowed the hacker to duplicate assets or grow their balance of iTokens (interest-bearing tokens of bZx). After discovering the bug, Hours bZx ceased minting and burning of iTokens and then unpaused it after fixing that fixed balances for duplications.
The bug enabled the hacker to mint 219,200 LINK tokens (around $2.6 million); 4,503 ETH (~$1.6 million); 1,756,351 USDT (~$1.7 million); 1,412,048 USDC (~$1.4 million) and 667,989 DAI (~$680,000). That is $8.1 million in total. bZx said no user funds are in danger as its insurance fund is covering the loss.
The lead engineer at Bitcoin.com, Marc Thalen, claims to have originally identified the bug. He declared more than $20 million of bZx funds were at risk. Thalen himself tried the exploit out and created a loan using USDC (100 USD).
bZx co-founder Kyle Kistner told The Block that “it’s difficult to say” how this “critical” bug went unknown by the protocol’s two audit firms Peckshield and Certik. The firms are providing internal root cause analyses, said Kistner.
Some industry experts want bZx to halt operations and re-audit its protocol. However, Kistner told The Block that bZx security auditors “did not recommend such a course of action.”
Thalen is anticipating a bug bounty from bZx. Kistner told The Block that he would be receiving a bounty of $12,500 — the average of what three panelists suggested, as Thalen reported, “an ongoing incident that we had already been investigating.”
This is the third time bZx has been hit this year. In February, the protocol lost about $945,000 in two attacks.
The newest attack has succeeded in a sharp 70% decline in bZx’s total value locked (TVL) to just about $6.3 million. Kistner told The Block that “things change very quickly in this [DeFi] space,” referring to a possible upswing.
Meanwhile, bZx plans to strengthen users’ trust amid attacks, Kistner told The Block:
“We want to create products and incentive structures so attractive that users are essentially forced to use us regardless of how they feel about our brand.”