Decentralized finance (DeFi) lending protocol bZx said that it has reclaimed the $8 million which was hacked on Sunday due to a faulty code in its smart contract. This is the third time that the platform’s security has been breached.
According to the incident report, this was due to a token duplication bug that the attacker exploited during the weekend. Bitcoin.com engineer Marc Thalen reported the incident to the bZx team, and received $45,000 as a reward.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc Thalen (@MarcThalen) September 14, 2020
The team was able to track the attacker, who previously used Binance exchange to transfer assets. As of September 15, all of the $8 million have been restored.
We are relieved to announce that the missing funds are now restored. More information will follow.
— bZx (@bZxHQ) September 14, 2020
bZx Co-Founder Kyle Kistner said in the report that once they found the anomalous behavior with the _internalTransferFrom() function on their iToken smart contract, they stopped the minting and the burning until they resolved the issue.
No funds are at risk. Due to a token duplication incident, the protocol insurance fund as transiently accrued a debit. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.
bZx is back online, and it has promised that “the debt will be wiped clean”, and that the protocol “will move forward unimpeded”. However, the incident was met with mixed reactions. Some lauded the protocol for being “transparent”, while others scrutinized how it was hacked for the third time in this year alone.