A couple of hours ago, the DeFi lending protocol shared an update on Twitter after a huge drop in TVL was noticed by its developers:
“At 3:28 AM EST we began investigating a drop in the protocol TVL. By 6:18 AM EST we confirmed that a duplication incident had occurred with several of the iTokens.
“Lending and unlending was temporarily paused. The duplication method has been patched out of the iToken contract code, and the protocol has resumed normal functioning.”
Although lending and unlending were halted and iToken contract code was patched up, the hacker had already leveraged the bug to cart away with relatively $8 million in user deposits.
In a follow-up report, bZx stated that the duplication bug that opened the door for the said exploit was patched up as soon as it was audited by the two prominent security firms in the crypto ecosystem, Peckshield and Certik.
Also, for clarification, bZx pointed out that “No funds are currently at risk. Those funds outlined have been debited against our insurance fund. Nobody currently using the protocol is in danger.”
> No funds are currently at risk. <
Those funds outlined have been debited against our insurance fund. Nobody currently using the protocol is in danger.
— bZx (@bZxHQ) September 13, 2020
Reactions of Some Industry Experts
According to Lead Engineer at Bitcoin.com, Marc Thelan, the team of developers behind the decentralized finance (DeFi) lending protocol were likely too slow to deal with the problem.
In a series of tweets, he noted:
“Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up..
“I tried the exploit out. I created a loan using USDC (100 USD). From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD.
“After a while the admin I was talking to told me that he finally got a hold of the team and was passing the info I was giving them through to them. At this point the attacker I noticed had drained substantial amounts of Dai and USDC.
“BzX did an emergency stop and paused the contracts. I am currently awaiting my bounty as it has to go through “independent board” who will decide if it will be granted to me. Since BRZX already made a post mortem report on this I figured it share here what actually happened.
“I am highly convinced that the complete pool could have been drained if the attacker had a bit more time.
The reason I am tweeting this is not to slander BZX but far too often teams do not pay out their bounties even though in this scenario the amount at risk was very substantial. (Will update here when I hear more about my bounty claim).”
Despite the display of vulnerability, some still came in defense of bZx. According to the founder of Aave Protocol, Stani Kulechov, “bZx incident recently showed that it’s easier forked than done. They had multiple audits, formal verification and took substantial time before coming back to main-net and yet all the diligence does not guarantee safety. Something that every DeFi user should understand.”
Join us on Twitter
Join us on Telegram
Join us on Facebook