Update, September 15: After the publication of this story, Kistner told The Block that the attacker returned the stolen funds to bZx late Monday, after getting caught. Kistner declined to provide details due to legal reasons.
Decentralized finance (DeFi) lending protocol bZx was attacked once again last night and lost a little over $8 million due to a faulty code in its smart contracts.
The flawed code allowed an attacker to duplicate assets, or increase their balance of iTokens (interest-bearing tokens of bZx). Hours after noticing the bug, bZx paused minting and burning of iTokens and then unpaused it after a fix that corrected balances for duplications.
The bug allowed the hacker to mint 219,200 LINK tokens (worth about $2.6 million); 4,503 ETH (~$1.6 million); 1,756,351 USDT (~$1.7 million); 1,412,048 USDC (~$1.4 million) and 667,989 DAI (~$680,000). That is $8.1 million in total. bZx said no user funds are at risk as the loss is being covered by its insurance fund.
Marc Thalen, a lead engineer at Bitcoin.com, claims to have initially identified the bug. He said more than $20 million of bZx funds were at risk. Thalen himself tried the exploit out and created a loan using USDC (100 USD). "From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD," said Thalen.
bZx co-founder Kyle Kistner told The Block that "it's difficult to say" how this "critical" bug went unidentified by the protocol's two audit firms Peckshield and Certik. The firms are preparing internal root cause analyses, said Kistner.
Peckshield said, "one audit cannot guarantee to find all potential issues," while Certik said, "security is a journey."
Some industry experts want bZx to halt operations and re-audit its protocol. However, Kistner told The Block that bZx security auditors "did not recommend such a course of action."
Thalen is expecting a bug bounty from bZx. Kistner told The Block that he will be receiving a bounty of $12,500 — the average of what three panelists suggested, as Thalen reported "an ongoing incident that we had already been investigating." After the publication of this story, Thalen told The Block that his bounty was increased to $45,000. Kistner separately confirmed the increment to The Block.
The latest attack has resulted in a sharp 70% decline in bZx's total value locked (TVL) to just about $6.3 million. Kistner told The Block that "things change very quickly in this [DeFi] space," referring to a possible upswing.
When asked how bZx plans to strengthen users' trust amid attacks, Kistner told The Block: "We want to create products and incentive structures so attractive that users are essentially forced to use us regardless of how they feel about our brand."
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.