bZx Exchange Suffers Another Attack Losing $8 Million; Lenders Funds Are Safe

Seven months after suffering two successive attacks worth nearly $1 million, the bZx exchange suffered yet another attack on Sept. 14 as attackers made away with over $8 million in lender’s funds. The exchange was first to tweet on the compromised account, stating a drop in its protocol’s total locked value (TVL) as hackers duplicated several of the bZx exchange iTokens. bZx exchange tweeted moments after the hack began,

“At 3:28 AM EST, we began investigating a drop in the protocol TVL. By 6:18 AM EST, we confirmed that a duplication incident had occurred with several of the iTokens.”

The bug allowed the attackers to duplicate the iTokens, the interest-bearing tokens on the bZx protocol, and fund their wallets. The exchange paused all borrowing and lending on the platform and have since worked on the “faulty code” on the iToken’s contract source.

2/ Lending and unlending was temporarily paused. The duplication method has been patched out of the iToken contract code, and the protocol has resumed normal functioning. 🙏

More details will follow!

— bZx (@bZxHQ) September 13, 2020

In a post mortem published on the bZx exchange’s blog, the team stated they identified abnormal behavior with the _internalTransferFrom() function on the iToken source code. The exchange developers deployed a new contract correcting the faulty code and burned the duplicated tokens setting the contract back to normal functioning.

We realized that initial source code works incorrectly when "_from" equals to "_to" and leads to funds duplication. We found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated (worth ~4.7K $ETH) // @DuneAnalytics pic.twitter.com/IWodBkGaEq

— Anton Bukov | k06a.eth (@k06a) September 13, 2020

According to the post the hacker made away with 219,200 LINK tokens (worth about $2.6 million); 4,503 ETH (~$1.6 million); 1,756,351 USDT (~$1.7 million); 1,412,048 USDC (~$1.4 million) and 667,989 DAI (~$680,000) – a total of over $8.1 million dollars. The funds have since been replaced by the bZx exchange insurance fund.

The exchange also assured users and investors that none of the lenders’ funds are in jeopardy as the insurance fund covered it all.

Sloppy auditing or complex code?

bZx founder, Kyle Kistner, was left with no explanation on how the severe bug could go unaudited by two of the top security firms auditing the exchange’s smart contract – Peckshield and Certik. The two audit firms are since preparing an internal root cause analysis on the issues faced.

Certik praised the quick response from the bZx dev team and pledged to work together to prevent such issues in the future. Certik tweeted,

“Security is a journey, and our team is committed to pursuing/deepening its collab with the bzx team.”

Peckshield further stated that “one audit cannot guarantee to find all potential issues”. The audit and security team will work closely with developers from the exchange to minimize the security risks involved.

A bounty hunter set to receive $12,500

A tweet from Bitcoin.com developer, Marc Thalen showed receipts of his conversation with the bZx team moments before the attacker started the duplication of iTokens. The developer informed the bZx team of the impending hack after being able to duplicate iUSDC from the platform.

2/4 I tried the exploit out. I created a loan using USDC (100 USD). From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD.

— Marc Thalen (@MarcThalen) September 14, 2020

However, Marc was not able to get through to the admin team in charge of the keys to temporarily halt the attack. According to a board recommendation, the bug bounty hunter is set to receive $12,500 USD for bringing the attack to light before a possible wipeout of the exchanges lending pool (with $20+ million).

However, Marc states correctly that the bounty fee is not similar to what the exchange-listed on their page after the last hack attempts.

7/4 one of the founders just mentioned on telegram that the "recommendation" from their independent security panel was a 12.5k bounty. Now I don't want to be greedy but this number is a lot different from what they listed in their relaunch blog last month @rleshner pic.twitter.com/bbGaRK1DJm

— Marc Thalen (@MarcThalen) September 14, 2020

The exchange promised $50,000 and $350,000 bounty rewards for high and critical bugs on the lending platform, paid out in ETH or USDC.

The exchange will live stream direct questions from users on the iTokens Duplication incident on Monday, Sep 14th, at 9 am PT/12 pm ET.

📢 UPDATE:

We are relieved to announce that the missing funds are now restored. More information will follow.

Stay tuned!

— bZx (@bZxHQ) September 14, 2020