bZx Exchange Suffers Another Attack Losing $8 Million; Lenders Funds Are Safe

  • bZx exchange faces another attack due to faulty code.
  • The hackers made away with $8million in lenders’ funds.
  • The exchange post mortem claims none of the lenders’ funds are in danger.
  • developer claims bug bounty on noticing the bZx exchange hack.

Seven months after suffering two successive attacks worth nearly $1 million, the bZx exchange suffered yet another attack on Sept. 14 as attackers made away with over $8 million in lender’s funds. The exchange was first to tweet on the compromised account, stating a drop in its protocol’s total locked value (TVL) as hackers duplicated several of the bZx exchange iTokens. bZx exchange tweeted moments after the hack began,

“At 3:28 AM EST, we began investigating a drop in the protocol TVL. By 6:18 AM EST, we confirmed that a duplication incident had occurred with several of the iTokens.”

The bug allowed the attackers to duplicate the iTokens, the interest-bearing tokens on the bZx protocol, and fund their wallets. The exchange paused all borrowing and lending on the platform and have since worked on the “faulty code” on the iToken’s contract source.

In a post mortem published on the bZx exchange’s blog, the team stated they identified abnormal behavior with the _internalTransferFrom() function on the iToken source code. The exchange developers deployed a new contract correcting the faulty code and burned the duplicated tokens setting the contract back to normal functioning.

According to the post the hacker made away with 219,200 LINK tokens (worth about $2.6 million); 4,503 ETH (~$1.6 million); 1,756,351 USDT (~$1.7 million); 1,412,048 USDC (~$1.4 million) and 667,989 DAI (~$680,000) – a total of over $8.1 million dollars. The funds have since been replaced by the bZx exchange insurance fund.

The exchange also assured users and investors that none of the lenders’ funds are in jeopardy as the insurance fund covered it all.

Sloppy auditing or complex code?

bZx founder, Kyle Kistner, was left with no explanation on how the severe bug could go unaudited by two of the top security firms auditing the exchange’s smart contract – Peckshield and Certik. The two audit firms are since preparing an internal root cause analysis on the issues faced.

Certik praised the quick response from the bZx dev team and pledged to work together to prevent such issues in the future. Certik tweeted,

“Security is a journey, and our team is committed to pursuing/deepening its collab with the bzx team.”

Peckshield further stated that “one audit cannot guarantee to find all potential issues”. The audit and security team will work closely with developers from the exchange to minimize the security risks involved.

A bounty hunter set to receive $12,500

A tweet from developer, Marc Thalen showed receipts of his conversation with the bZx team moments before the attacker started the duplication of iTokens. The developer informed the bZx team of the impending hack after being able to duplicate iUSDC from the platform.

However, Marc was not able to get through to the admin team in charge of the keys to temporarily halt the attack. According to a board recommendation, the bug bounty hunter is set to receive $12,500 USD for bringing the attack to light before a possible wipeout of the exchanges lending pool (with $20+ million).

However, Marc states correctly that the bounty fee is not similar to what the exchange-listed on their page after the last hack attempts.

The exchange promised $50,000 and $350,000 bounty rewards for high and critical bugs on the lending platform, paid out in ETH or USDC.

The exchange will live stream direct questions from users on the iTokens Duplication incident on Monday, Sep 14th, at 9 am PT/12 pm ET.

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide