bZx

bZx Hack - September 2020

Overview

Decentralized finance (DeFi) lending protocol bZx was attacked and lost a little over $8 million due to a faulty code in its smart contracts. This was the third time bZx has been attacked in 2020.

The Vulnerability

The culprit was one line of code placed at the wrong location in the contract for its "iTokens," the token representing a user's share in the pool of supplied assets. The flawed code allowed an attacker to duplicate assets, or increase their balance of iTokens (interest-bearing tokens of bZx).

Stolen Assets

The bug allowed the hacker to mint:

• 219,200 LINK tokens (~$2.6 million)

• 4,503 ETH (~$1.6 million)

• 1,756,351 USDT (~$1.7 million)

• 1,412,048 USDC (~$1.4 million)

• 667,989 DAI (~$680,000)

Response and Recovery

Hours after noticing the bug, bZx paused minting and burning of iTokens and then unpaused it after a fix that corrected balances for duplications. After the publication of the original story, bZx founder Kyle Kistner told The Block that the attacker returned the stolen funds to bZx late Monday, after getting caught.

bZx said no user funds are at risk as the loss is being covered by its insurance fund. The latest attack resulted in a sharp 70% decline in bZx's total value locked (TVL) to just about $6.3 million.

Sources

• https://www.theblock.co/post/77656/defi-protocol-bzx-attacked-lost-8-million-faulty-code

• https://immunebytes.com/blog/bzx-protocol-exploit-sep-14-2020-detailed-analysis/

• https://cointelegraph.com/news/defi-platform-bzx-sees-new-8m-hack-from-one-misplaced-line-of-code

• https://cryptobriefing.com/bzxs-third-exploit-2020-ends-with-8-million-lost/