Ad
News
DeFi protocol bZx suffers $8 million hack, customer funds safe DeFi protocol bZx suffers $8 million hack, customer funds safe
๐Ÿšจ This article is 4 years old...

DeFi protocol bZx suffers $8 million hack, customer funds safe

DeFi protocol bZx suffers $8 million hack, customer funds safe

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

Blockchain protocol bZx suffered a hack early Monday, with hackers making away with almost $8 million in various cryptocurrencies before the vulnerability was patched.

bZx hit thrice

bZx is a decentralized margin lending protocol & liquidation oracle marketplace on the Ethereum blockchain. Its protocol allows users to deploy smart contracts atop Ethereum to lend and margin trade without relying on third parties.

But security concerns have hit the project hard…thrice. Earlier this year, the protocol was compromised by malicious actors twice in the space of a week who managed to capture nearly $1 million in illicit funds. At the time, the firm promised to install more vigorous security services on its platform to avoid such a hack again.

And while there wasnโ€™t any untoward incident so far, a โ€œduplicationโ€ vulnerability earlier today cost the protocol millions of dollars in various cryptocurrencies.

bZx said in a blog post, โ€œDue to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.โ€

It added that bZxโ€™s risk management system is capable of โ€œabsorbing black swan events that would otherwise negatively impact lender assets.โ€ With that, the $8 million vulnerability would be โ€œwiped cleanโ€ and the protocol will move forward unimpeded.

Hereโ€™s what allowed the hack: Every ERC20 token has a transferFrom() function that is responsible for transferring tokens. In the bZx case, hackers found that it was possible to call this function to create and transfer an iToken to yourself, allowing them to artificially increase their balance.

The following then occurred:

  1. The team noticed a strange movement in the protocol TVL.
  2. Identified anomalous behavior with the _internalTransferFrom() function on the iToken contract.
  3. Minting and burning of iTokens was paused as the fix was identified.
  4. Borrowing and trading was not impacted.
  5. A new version of the affected iToken contracts were deployed with the balances corrected for duplications.
  6. The patched code was sent to Peckshield and Certik for review.
  7. Minting and burning of iTokens were unpaused.

Patched and all funds safe

bZx was quick to handle the issue and used a backdoor admin access system to stop hackers from steaking more funds. A patched version of the source code was later sent to two blockchain security firms, Certik and Peckshield, who approved the changes.

In terms of covering losses, a collection of affected crypto funds, such as Chainlink, Ethereum, and Tether, were added to the insurance fund, said bZx.

No customer funds were affected or lost during the breach.

Posted In: DeFi, Hacks