DeFi protocol bZx suffers $8 million hack, customer funds safe
Blockchain protocol bZx suffered a hack early Monday, with hackers making away with almost $8 million in various cryptocurrencies before the vulnerability was patched.
bZx hit thrice
bZx is a decentralized margin lending protocol & liquidation oracle marketplace on the Ethereum blockchain. Its protocol allows users to deploy smart contracts atop Ethereum to lend and margin trade without relying on third parties.
But security concerns have hit the project hard…thrice. Earlier this year, the protocol was compromised by malicious actors twice in the space of a week who managed to capture nearly $1 million in illicit funds. At the time, the firm promised to install more vigorous security services on its platform to avoid such a hack again.
And while there wasn’t any untoward incident so far, a “duplication” vulnerability earlier today cost the protocol millions of dollars in various cryptocurrencies.
bZx said in a blog post, “Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.”
The official iToken duplication incident report is out.
Read more here ?https://t.co/Cq3O9UXgUF
— bZx (@bZxHQ) September 14, 2020
It added that bZx’s risk management system is capable of “absorbing black swan events that would otherwise negatively impact lender assets.” With that, the $8 million vulnerability would be “wiped clean” and the protocol will move forward unimpeded.
In total @bZxHQ "admin" was lucky to drain 5 different wallets with 7 transactions in 7 different pools: pic.twitter.com/8xDx6EUMmQ
— Anton Bukov | k06a.eth (@k06a) September 13, 2020
Here’s what allowed the hack: Every ERC20 token has a transferFrom() function that is responsible for transferring tokens. In the bZx case, hackers found that it was possible to call this function to create and transfer an iToken to yourself, allowing them to artificially increase their balance.
The following then occurred:
- The team noticed a strange movement in the protocol TVL.
- Identified anomalous behavior with the _internalTransferFrom() function on the iToken contract.
- Minting and burning of iTokens was paused as the fix was identified.
- Borrowing and trading was not impacted.
- A new version of the affected iToken contracts were deployed with the balances corrected for duplications.
- The patched code was sent to Peckshield and Certik for review.
- Minting and burning of iTokens were unpaused.
Patched and all funds safe
bZx was quick to handle the issue and used a backdoor admin access system to stop hackers from steaking more funds. A patched version of the source code was later sent to two blockchain security firms, Certik and Peckshield, who approved the changes.
Wow! The impact of the hack could have been much more dramatic. Seems like @bZxHQ team saved substantial amount by deploying a backdoored version to drain attacker's wallets. https://t.co/jGkygMz8wo pic.twitter.com/DB10PBCBWu
— Roman Storm (@rstormsf) September 13, 2020
In terms of covering losses, a collection of affected crypto funds, such as Chainlink, Ethereum, and Tether, were added to the insurance fund, said bZx.
2/2 One audit cannot guarantee to find all potential issues, but with continuous work from developers and auditors, we are getting ever closer to the goal of minimizing security risks.
— PeckShield Inc. (@peckshield) September 13, 2020
No customer funds were affected or lost during the breach.