bZx Exchange Suffers Another Attack Losing $8 Million; Lenders Funds Are Safe

  • bZx exchange faces another attack due to faulty code.
  • The hackers made away with $8million in lenders’ funds.
  • The exchange post mortem claims none of the lenders’ funds are in danger.
  • developer claims bug bounty on noticing the bZx exchange hack.

Seven months after suffering two successive attacks worth nearly $1 million, the bZx exchange suffered yet another attack on Sept. 14 as attackers made away with over $8 million in lender’s funds. The exchange was first to tweet on the compromised account, stating a drop in its protocol’s total locked value (TVL) as hackers duplicated several of the bZx exchange iTokens. bZx exchange tweeted moments after the hack began,

“At 3:28 AM EST, we began investigating a drop in the protocol TVL. By 6:18 AM EST, we confirmed that a duplication incident had occurred with several of the iTokens.”

The bug allowed the attackers to duplicate the iTokens, the interest-bearing tokens on the bZx protocol, and fund their wallets. The exchange paused all borrowing and lending on the platform and have since worked on the “faulty code” on the iToken’s contract source.

In a post mortem published on the bZx exchange’s blog, the team stated they identified abnormal behavior with the _internalTransferFrom() function on the iToken source code. The exchange developers deployed a new contract correcting the faulty code and burned the duplicated tokens setting the contract back to normal functioning.

According to the post the hacker made away with 219,200 LINK tokens (worth about $2.6 million); 4,503 ETH (~$1.6 million); 1,756,351 USDT (~$1.7 million); 1,412,048 USDC (~$1.4 million) and 667,989 DAI (~$680,000) – a total of over $8.1 million dollars. The funds have since been replaced by the bZx exchange insurance fund.

The exchange also assured users and investors that none of the lenders’ funds are in jeopardy as the insurance fund covered it all.

Sloppy auditing or complex code?

bZx founder, Kyle Kistner, was left with no explanation on how the severe bug could go unaudited by two of the top security firms auditing the exchange’s smart contract – Peckshield and Certik. The two audit firms are since preparing an internal root cause analysis on the issues faced.

Certik praised the quick response from the bZx dev team and pledged to work together to prevent such issues in the future. Certik tweeted,

“Security is a journey, and our team is committed to pursuing/deepening its collab with the bzx team.”

Peckshield further stated that “one audit cannot guarantee to find all potential issues”. The audit and security team will work closely with developers from the exchange to minimize the security risks involved.

A bounty hunter set to receive $12,500

A tweet from developer, Marc Thalen showed receipts of his conversation with the bZx team moments before the attacker started the duplication of iTokens. The developer informed the bZx team of the impending hack after being able to duplicate iUSDC from the platform.

However, Marc was not able to get through to the admin team in charge of the keys to temporarily halt the attack. According to a board recommendation, the bug bounty hunter is set to receive $12,500 USD for bringing the attack to light before a possible wipeout of the exchanges lending pool (with $20+ million).

However, Marc states correctly that the bounty fee is not similar to what the exchange-listed on their page after the last hack attempts.

The exchange promised $50,000 and $350,000 bounty rewards for high and critical bugs on the lending platform, paid out in ETH or USDC.

The exchange will live stream direct questions from users on the iTokens Duplication incident on Monday, Sep 14th, at 9 am PT/12 pm ET.

Get Free Email Updates!

*Action* Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

I will never give away, trade or sell your email address. You can unsubscribe at any time.

Lujan Odera
Lujan Odera
Lujan is a blockchain technology and cryptocurrency author and editor. He has worked in the field of cryptocurrencies and blockchain technology since 2015 helping him gain enough experience to be the writer he is today. He is known for his simple writing style that allows novices to understand the field in the simplest way.

[Alert] Use the author's self-conducted information at your own risk, do you own research, never invest more than you are willing to lose.

[Disclosure] The published news and content on BitcoinExchangeGuide should never be used or taken as financial investment advice. Understand trading cryptocurrencies is a very high-risk activity which can result in significant losses. Editorial Policy \\ Investment Disclaimer


Please enter your comment!
Please enter your name here


Live Bitcoin Price & Latest BTC Charts

Today's Latest Crypto News

BitcoinExchangeGuide is a hyper-active daily crypto news portal with care in cultivating the cryptocurrency culture with community contributors who help rewrite the bold future of blockchain finance. Subscribe on Google News, see the mission, authors, editorial links policy, investment disclaimer, privacy policy. Got News? Contact us, we are human too. Note: nothing here is financial advice, do your own research thoroughly.

Start Using Crypto Today