bZx, a decentralized finance (DeFi) protocol on Ethereum (ETH) network, has recently lost around $8.1 million due to a faulty piece of code in its smart contracts.
The vulnerability in the smart contract code was first noticed by Bitcoin .com lead engineer, Marc Thalen who then reported it to the bZx team.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc Thalen (@MarcThalen) September 14, 2020
In an official blog, bZx co-founder Kyle Kistner detailed that the flawed code was allowing an attacker to duplicate assets or even increase the balance of the platform’s interest-bearing token, iTokens.
The attacker exploited the bug to mint 219,200 LINK tokens (valued around $2.6 million), 4,503 ETH (valued around $1.6 million), 1,756,351.27 USDT, 1,412,048 USDC, and 667,989 DAI (with a market value of around $680,000).
The protocol developer paused the minting and burning of iTokens hours after finding the vulnerability and then resumed them following the implementation of a fix that corrected the balances and duplications.
Before reporting, Thalen, himself, exploited the vulnerability by creating a loan with 100 USDC.
Kistner also highlighted that despite the heavy loss, the users of the protocol will be compensated from its insurance fund.
“No funds are at risk,” the official blog highlighted. “Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.”
Is DeFi Too Nascent to Get the Hype?
Founded in 2017, bZx developed a DeFi protocol creating an ecosystem of decentralized applications (DApps), including margin trading and lending platform, wallets, and many more.
It was attacked twice in February within days that resulted in a loss of around $945,000.
Kistner also pointed out that two independent audit firms, Peckshield and Certik, failed to identify the recent critical bug.