Yesterday, a single Chainlink (LINK) withdrawal resulted in a $2 mln drop in "total value locked" (TVL) in the bZx decentralized financial protocol. As in previous DeFi hacks, an ingenious bug in the token contract resulted in seven-digit losses.
An infamous record: the third efficient attack in nine months
According to the official post-mortem by product engineers, the attack was made possible by a critical flaw in the iTokens contract. This type of ERC-20 token is minted by the users of bZx protocol.
The official iToken duplication incident report is out.— bZx (@bZxHQ) September 14, 2020
Read more here 👇https://t.co/Cq3O9UXgUF
Since two inputs responsible for token transfers were read as equal during the execution of the transaction, the malefactor was able to increase his balance in iTokens artificially. The protocol design allows users to redeem funds from the TVL with an increase in the amount of iTokens.
As a result, the pools of the five currencies have born losses: the malefactor accessed 219,199.66 Chainlink (LINK), 4,502.70 Ethers (ETH), 1,756,351.27 U.S. Dollar Tethers (USDT), 1,412,048.48 USD Coins (USDC) and 667,988.62 DAI. Given the Chainlink (LINK) and Ethereum (ETH) prices at the moment of the hack, the total amount of losses surpassed $8,000,000 in U.S. Dollar equivalent.
However, the protocol co-founder Kyle Kistner assured users that all of their funds are safe, as the corresponding amount of tokens was immediately sent to the insurance fund.
Could this hack have been prevented?
Also, Mr. Kistner recalled in the post-mortem that the entire codebase of bZx contracts was audited by top-notch cybersecurity vendors Peckshield and Certik, as well as by in-house security officers. However, lead engineer of Bitcoin.com Marc Thalen stated that it was he who reported the crucial bug to bZx Telegram's community manager.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu— Marc Thalen (@MarcThalen) September 14, 2020
He also noted that the attacker used the Binance address to initiate malicious token movements. However, bZx refused to pay him the full amount of the "bug bounty," restricting the payouts to $12,500.
The global DeFi community is very concerned by the repeated attacks on bZx. Founder of Compound Finance (COMP) Robert Leshner slammed both the reaction of the bZx team to the attack and their unwillingness to pay the bug bounty to Mr. Thalen:
Coincidentally, the last time bZx got hacked, they refused to pay a bug bounty; the community roasted them, and they admitted their mistake. Their "mea culpa" promised it would never happen again...