DeFi lending protocol bZx exploited, ‘a portion of ETH lost’

Decentralized finance (DeFi) lending protocol bZx has just been exploited.

While the exact amount of lost ether (ETH) is not yet known, bZx co-founder Kyle Kistner said: “a portion of ETH [has been] lost.”

Kistner revealed the details via bZx’s official Telegram channel on Saturday, saying that there was an “exploit executed” against a contract and that the firm has paused that contract, "except for lending and unlending."

bZx is apparently still consulting with security researchers to know the exact cause of the issue, said Kistner, adding: “We will be publishing a more in-depth post-mortem. The remaining funds are safe.”

As a result of the exploitation, bZx has taken down its Fulcrum trading platform down for maintenance.

According to DeFi Pulse, 3,300 ETHs (around $932,000) have been taken out from the bZx protocol in the last 24 hours. While some market observers estimate that the amount lost is around $350,000 in ETH.

Korantin Auguste, a former Google software engineer, has explained the attack in detail. He said a “logic bug” in bzX’s coding caused a loss of equity of around $620,000 for the protocol and around $350,000 worth of profit for the attacker. Notably, Auguste also said that it was not an Oracle bug, but rather a vulnerability.

bZx is currently the seventh-largest DeFi protocol, with the total amount of funds locked at around $15.5 million, according to DeFi Pulse.

The Block has reached out to bZx and other relevant sources for further comments and will update this story if we hear back.

UPDATE (Feb. 17): This story has been updated with analysis from former Google software engineer Korantin Auguste.