Blockchain protocol bZx suffered a hack early Monday, with hackers making away with almost $8 million in various cryptocurrencies before the vulnerability was patched.
bZx hit thrice
bZx is a decentralized margin lending protocol & liquidation oracle marketplace on the Ethereum blockchain. Its protocol allows users to deploy smart contracts atop Ethereum to lend and margin trade without relying on third parties.
But security concerns have hit the project hard…thrice. Earlier this year, the protocol was compromised by malicious actors twice in the space of a week who managed to capture nearly $1 million in illicit funds. At the time, the firm promised to install more vigorous security services on its platform to avoid such a hack again.
And while there wasn’t any untoward incident so far, a “duplication” vulnerability earlier today cost the protocol millions of dollars in various cryptocurrencies.
bZx said in a blog post, “Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.”
It added that bZx’s risk management system is capable of “absorbing black swan events that would otherwise negatively impact lender assets.” With that, the $8 million vulnerability would be “wiped clean” and the protocol will move forward unimpeded.
Here’s what allowed the hack: Every ERC20 token has a transferFrom() function that is responsible for transferring tokens. In the bZx case, hackers found that it was possible to call this function to create and transfer an iToken to yourself, allowing them to artificially increase their balance.
The following then occurred:
- The team noticed a strange movement in the protocol TVL.
- Identified anomalous behavior with the _internalTransferFrom() function on the iToken contract.
- Minting and burning of iTokens was paused as the fix was identified.
- Borrowing and trading was not impacted.
- A new version of the affected iToken contracts were deployed with the balances corrected for duplications.
- The patched code was sent to Peckshield and Certik for review.
- Minting and burning of iTokens were unpaused.
Patched and all funds safe
bZx was quick to handle the issue and used a backdoor admin access system to stop hackers from steaking more funds. A patched version of the source code was later sent to two blockchain security firms, Certik and Peckshield, who approved the changes.
In terms of covering losses, a collection of affected crypto funds, such as Chainlink, Ethereum, and Tether, were added to the insurance fund, said bZx.
No customer funds were affected or lost during the breach.
The post DeFi protocol bZx suffers $8 million hack, customer funds safe appeared first on CryptoSlate.
Source: DeFi protocol bZx suffers million hack, customer funds safe