DeFi bug results in loss of $8m in Ethereum, Chainlink, and stablecoins
Decentralized finance has undoubtedly grown exponentially over the past few months, with the value of DeFi coins and the value of cryptocurrency locked in these contracts simultaneously going parabolic.
What’s crazy is that DeFi went months without a hack or a major bug that resulted in a loss of user funds despite a strong uptick in users, capital in the space, and a sheer number of protocols.
There was the infamous Yam bug, of course, but that was a small-scale bump of $500,000-750,000 in a multi-billion-dollar industry.
On Sunday, Sep. 13, the latest major DeFi bug/hack took place with bZx protocol, a money-market and on-chain trading platform based on Ethereum.
$8m in Ethereum, Chainlink, and stablecoins lost due to bug in bZx Protocol
On the morning of Sep. 13, users and bZx itself took to Twitter to warn DeFi users that something was up with the protocol. At the time, the team behind the Ethereum-based project asserted that no user funds were lost in the then-mysterious attack.
Some were still worried, though, as some analysts noted that millions worth of coins like Ethereum, Chainlink, and stablecoins were withdrawn to an Externally Owned Account — an account that isn’t a smart contract, seemingly owned by someone outside the protocol it was interacting with.
Hours later, project co-founder Kyle Kistner released a post-mortem of what happened.
To put it simply, there was a bug that allowed users to duplicate iTokens, interest-bearing assets native to the bZx Protocol:
“Every ERC20 token has a transferFrom() function that is responsible for transferring tokens. It was possible to call this function to create and transfer an iToken to yourself, allowing you to artificially increase your balance.”
Apparently, one attacker managed to use this system to drain 219,199 LINK, 4,502 ETH, and around $4 million worth of stablecoins with this strategy over a number of hours. This amounts to a loss of around $8 million.
Marc Thalen, the lead engineer at Bitcoin.com, reports to have helped the team identify the issue. Thalen is purportedly being awarded $12,500 for his efforts in helping to patch the bug.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc Thalen (@MarcThalen) September 14, 2020
The team will be backstopping users of the protocol with an insurance fund, which will ensure that no users will end up with fewer funds than they had before the attack.
Funds returned?
Although any losses will be recovered by bZx’s insurance fund, it was just revealed that the “missing funds are now restored.”
This suggests that the funds stolen by the attacker may have been returned to the bZx team.
? UPDATE:
We are relieved to announce that the missing funds are now restored. More information will follow.
Stay tuned!
— bZx (@bZxHQ) September 14, 2020
It is not too clear why this is the case but like with the dForce hack, it may be that users managed to figure out who the attacker was, then threatened to call law enforcement if the funds were not returned in time. (There are rumors that the account used in the hack is directly linked to a Binance account, which would reduce its pseudonymity dramatically.)
It could also be that the attacker was a “white-hat” hacker that temporarily took the funds to warn the team, then returned the cryptocurrency as a gesture of goodwill.