bZx protocol has once again been compromised as a supposed bug in the iTokens duplication method was exploited and reportedly resulted in the loss of funds. However, the team behind the decentralized finance (DeFi) lending protocol has patched out the flaw, assuring that users’ funds are not at risk. Notably, this recent incident marks the third time bZx has been hacked this year.
bZx protocol’s TVL drop
On Sunday, a bug was reported on bZx iToken duplication method, which enabled a hacker to artificially inflate their balance. As the co-founder of 1inch.Exchange, Anton Bukov shared on Twitter a post showing 101778 $iETH tokens (worth ~4.7K ETH) that were duplicated on bZx protocol in about nine different transactions. The tokens were worth $1,724,900 following the current price of ETH at $367.
The bZx team began investigating the duplication incident as the protocol’s total value locked (TVL) started dropping suddenly. They could learn about the duplication incident with several of the iTokens, and immediately stopped activities on the protocol such as lending and unlending temporarily. After a heavy auditing of bZx protocol by top security firms Peckshield and Certik, the faulty duplication method was patched out of the iToken contract code.
Overall, the total value lost in bZx protocol during the incident is reportedly about $8 million. The team assured that the stolen funds have been debited from the insurance funds, hence, customers need not to close their loans as “no funds are currently at risk.” Meanwhile, the funds added to the insurance fund include 219,199.66 LINK, 4,502.70 ETH, 1,756,351.27 USDT, 1,412,048.48 USDC, 667,988.62 DAI.
bZx hack could have been prevented
A Twitter user @MarcThalen first discovered the bug and reported it to bZx team; however, they did not respond on time.
“Last night I found an exploit in BRZX. I noticed that users were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up..”
He added:
“After a while the admin I was talking to told me that he finally got a hold of the team and was passing the info I was giving them through to them. At this point the attacker I noticed had drained substantial amounts of Dai and USDC.”
