DeFi lending protocol bZx suffered another attack last night, the second in seven months.
This time, faulty code was blamed for an exploit that allowed hackers to duplicate assets, or increase their iTokens balance without the appropriate collateral.
Reports are circulating that hackers stole cryptocurrencies worth $8 million. But Anton Burkov, Co-founder of 1inch Exchange, analyzed the relevant DeFi explorer, removing duplicate items, as well as bZx “admin drainages”, to conclude those reports are greatly exaggerated.
According to Burkov, the amount lost to the duplication exploit is closer to $1.7 million. Further analysis carried out by Burkov pinpointed the exploit to nine transactions on the iETH lending token, worth approximately 4.7k Ethereum in total.
“We found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated (worth ~4.7K $ETH) // @DuneAnalytics”
Source: twitter.com
In response to the exploit, bZx issued a statement saying investors are
Read More From Original Source
Tags: — bZx (@bZxHQ) February 15, 2020— bZx (@bZxHQ) September 14, 2020— Marc Thalen (@MarcThalen) September 14, 2020“2/4 I tried the exploit out. I created a loan using USDC (100 USD). From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD.““We found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated (worth ~4.7K $ETH) // @DuneAnalytics”A postmortem of what happened shows several failings. Initially, Lead Developer at bitcoin.com, Marc Thalen, raised the alarm by tweeting his discovery of the DeFi duplication exploit.At the time, bZx was ranked as the 7th largest protocol by total value locked (TVL). But following the flash lending exploit, it began slipping down in the DeFi rankings.Both our co-founders @tcbean & @BeTheb0x will be going LIVE to address any questions you might have relating to the iToken Duplication Incident.But the real concern is whether today’s exploit will lead to a further drop in standing.By the time the bZx team was aware of the problem, the attacker had already drained a substantial amount of DeFi assets.DeFi lending protocol bZx suffered another attack last night, the second in seven months.Following that, normal activity resumed.However, bZx denies the incident came about as a result of using Uniswap price feeds.However, considering the number of high profile exploits and exits happening in DeFi of late, this latest exploit has done little to legitimize DeFi.However, due to time differences, no-one at bZx was able to respond straight away.In a bid to reassure DeFi investors, bZx Co-founders Tom Bean and Kyle Joseph Kistner will field questions about the incident later tonight.In response to the exploit, bZx issued a statement saying investors are covered by an insurance fund paid for through treasury funds and protocol cashflow.In response, bZx paused the minting and burning of iTokens as they investigated the claims. The team then applied a patch to the iTokens contracts, correcting duplicate balances at the same time.In terms of token price, BZX is down 30% on the day. However, will the duplication exploit lead to further price declines?In the meantime, Thalen then went on to test the exploit himself. He said that he created a 100 USDC loan from which he was able to claim 200 iUSDC.Monday, Sep 14th at 9 am PT/ 12pm ETThe bZx protocol was attacked in February in a flash lending exploit. Attackers were able to steal $350k by manipulating the Uniswap price feed for wrapped Bitcoin.This time, faulty code was blamed for an exploit that allowed hackers to duplicate assets, or increase their iTokens balance without the appropriate collateral.Today, defipulse.com ranks bZx as the 37th biggest by TVL, a substantial fall in standing.What’s more, in the statement, bZx spun the incident to demonstrate the soundness of the protocol.Zoom: https://t.co/LO9Ys2PZIY