bZx DeFi Protocol Hacked Yet Again, $8,000,000 in Chainlink (LINK), Ethereum (ETH) and Stablecoins Stolen

Third devastating attack occurred after several independent audits in 2020. New hack resulted in eight times greater losses than the first and second ones combined

article image
Cover image via

Yesterday, a single Chainlink (LINK) withdrawal resulted in a $2 mln drop in "total value locked" (TVL) in the bZx decentralized financial protocol. As in previous DeFi hacks, an ingenious bug in the token contract resulted in seven-digit losses.

An infamous record: the third efficient attack in nine months

According to the official post-mortem by product engineers, the attack was made possible by a critical flaw in the iTokens contract. This type of ERC-20 token is minted by the users of bZx protocol.

Since two inputs responsible for token transfers were read as equal during the execution of the transaction, the malefactor was able to increase his balance in iTokens artificially. The protocol design allows users to redeem funds from the TVL with an increase in the amount of iTokens.

As a result, the pools of the five currencies have born losses: the malefactor accessed 219,199.66 Chainlink (LINK), 4,502.70 Ethers (ETH), 1,756,351.27 U.S. Dollar Tethers (USDT), 1,412,048.48 USD Coins (USDC) and 667,988.62 DAI. Given the Chainlink (LINK) and Ethereum (ETH) prices at the moment of the hack, the total amount of losses surpassed $8,000,000 in U.S. Dollar equivalent.


However, the protocol co-founder Kyle Kistner assured users that all of their funds are safe, as the corresponding amount of tokens was immediately sent to the insurance fund.

Could this hack have been prevented?

Also, Mr. Kistner recalled in the post-mortem that the entire codebase of bZx contracts was audited by top-notch cybersecurity vendors Peckshield and Certik, as well as by in-house security officers. However, lead engineer of Marc Thalen stated that it was he who reported the crucial bug to bZx Telegram's community manager.

He also noted that the attacker used the Binance address to initiate malicious token movements. However, bZx refused to pay him the full amount of the "bug bounty," restricting the payouts to $12,500.

The global DeFi community is very concerned by the repeated attacks on bZx. Founder of Compound Finance (COMP) Robert Leshner slammed both the reaction of the bZx team to the attack and their unwillingness to pay the bug bounty to Mr. Thalen:

Coincidentally, the last time bZx got hacked, they refused to pay a bug bounty; the community roasted them, and they admitted their mistake. Their "mea culpa" promised it would never happen again...

Join our Telegram channel to get news even faster!

article writer image
Vladislav Sopov

Blockchain Analyst & Writer with scientific background. 5+ years in IT-analytics, 2+ years in blockchain.

Worked in independent analysis as well as in start-ups (, Monoreto, Attic Lab etc.)