DeFi lending protocol bZx (BZRX) confirmed that “due to a token duplication incident” its insurance fund “has transiently” accrued debt of around USD 8m. (Updated on September 15: updates in bold.)
At pixel time (08:05 UTC), BZRX, ranked 138th by market capitalization, trades at USD 0.439 and is down by 32% in a day and 15% in a week.
Kyle J Kistner, Chief Visionary Officer (CVO) at bZx, said that due to a bug in their code “the user was effectively able to increase his balance artificially.” According to him, borrowing and trading were not impacted, while the fix was identified and a new version of the affected iToken contracts was deployed with the balances corrected for duplications.
The CVO said that the protocol “was heavily audited by top security firms Peckshield and Certik.”
2/2 One audit cannot guarantee to find all potential issues, but with continuous work from developers and auditors,… https://t.co/X8y4cV2u8J
— PeckShield Inc. (@peckshield)
The bZx team was able to temporarily shut down targeted functions of the protocol, update the vulnerable piece of c… https://t.co/qDbpbPA5pZ
— CertiK (@certik_io)
“Unfortunately, audits are not silver bullets. Our protocol is the most powerful, fully functioned lending protocol in the space, and this means that there is a lot of code to cover”, he said.
According to Kistner, their system is capable of absorbing “black swan events that would otherwise negatively impact lender assets.”
“Thanks to a protocol design that anticipates and accounts for tail events, this incident is surmountable. The debt will be wiped clean and the protocol will move forward unimpeded,” he said.
Meanwhile, the team said later on Monday that “the missing funds are now restored,” promising to provide more information later.
As reported, in February, bZx suffered two attacks.
In total @bZxHQ “admin” was lucky to drain 5 different wallets with 7 transactions in 7 different pools: https://t.co/8xDx6EUMmQ
— Anton Bukov | k06a.eth (@k06a)
2/4 I tried the exploit out. I created a loan using USDC (100 USD). From this I retrieved iUSDC. I then sent this t… https://t.co/1fhk8oTXyv
— Marc Thalen (@MarcThalen)
@bZxHQ 2) Even though $8,000,000 was exploited, no funds from users were lost. The fixed patched code was sent to… https://t.co/NcwAAbc93s
— The Paw Investor (@PeteChantrasook)
Wait wtf @bZxHQ got hacked AGAIN? Didnt this happen shortly after fulcrum first launched. FFS just go home at this point.
— George Harrap (@George_harrap)
If you choose to leave your funds in @bZxHQ after 2 major hacks in 2020 (3 if you include @1inchExchange’s white ha… https://t.co/s1Z0h6WCED
— Chris Blec (@ChrisBlec)
@bZxHQ incident recently showed that it’s easier forked than done. They had multiple audits, formal verification an… https://t.co/My5nbpOuRg
— stani.eth (@StaniKulechov)
bzx has an admin backdoor? # https://t.co/0Kh8ZeRuji
— 찌 G 跻 じ ⚡️ (@DegenSpartan)
If I understand correctly, @bZxHQ took bring DeFi to Runescape literally https://t.co/ZXQuUjNh30 https://t.co/NxrhQvhMqm
— Daryl Lau (@Daryllautk)
Safety Second: Top DeFi Projects By Highest Audit Scores
Ethereum Classic Up by 3% Today After Third 51% Attack In a Month