On the one hand, DeFi shows no signs of stopping, on the other hand, some popular projects are being hacked due to a number of internal vulnerabilities. One such protocol is the bZx, which had a very difficult year.
In a yet another fresh trouble, the popular DeFi lending protocol encountered bug exploitation. bZx’s official blog post claimed that the platform sustained a duplication incident with several of the iTokens. The incident caused the protocol insurance fund to transiently accrue a debt. Calling the incident “surmountable”, bZx revealed that the insurance fund was backstopped by both the token treasury in addition to protocol cash flows.
It was the steep drop in bZx’s TVL that caught the attention of the platform’s developers which was then followed by a tweet stating that it was “investigating” the reason behind it.
Marc Thalen, Lead Engineer at Bitcoin.com found an exploit after noticing a user capable of duplicating iTokens who then contacted the team. But by the time the team’s founders got the word, the attacker had drained substantial amounts of Dai and USDC. Thalen further stated that the entire pool could have been drained “if the attacker had a bit more time”.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc Thalen (@marc_defi) September 14, 2020
Funds are SAFU
However, the platform confirmed that no funds were at risk. Furthermore, the duplication bug in question was patched up after it was audited by two prominent security firms – Peckshield and Certik. bZx stated,
“The protocol was heavily audited by top security firms Peckshield and Certik. The Peckshield audit was 12 person weeks. This is the same amount of time that Peckshield audited the Multi-collateral DAI [MCD] contracts for MakerDAO. The Certik audit was 7 person weeks. Additionally, we performed extensive automated testing. Unfortunately, audits are not silver bullets.”
This is not an isolated case wherein an entity was able to compromise bZx. The protocol was compromised for the first time on the 14th of February when the team was at the ETH Denver industry event. The second attack followed a couple of days later. The two hacks saw the protocol lose more than $954K.