bZx hacked again as Duplication bug costs protocol $8M in user deposits


Decentralized Finance “lending” protocol, bZx, is not having a good year. Seven months after bZx was hit by two major hacks that saw the protocol lose over $954K, it is in the headlines again after yet another bug was exploited. This time, the losses have been as high as over $8M in user deposits or 30% of bZX’s Total Value Locked.

In fact, the sharp drop in TVL was what first caught the attention of bZx’s developers, with a tweet going on to say that, “we confirmed that a duplication incident had occurred with several of the iTokens.” While lending and unlending were soon paused and the iToken contract code patched up, the hackers in question were able to exploit the said bug for the aforementioned amount.

bZx soon followed up these updates with a post-mortem report of its own, claiming that the duplication bug in question was patched up soon after it was audited by Peckshield and Certik, two very prominent security firms. It should be noted, however, that bZx was quick to clarify that,

Interestingly, according to Marc Thelan, Lead Engineer at, the team behind bZx may have been slow to tackle the issue at hand. Thelan claimed,

By the time the rest of the team was up and the info was passed on, he said, “the attacker I noticed had drained substantial amounts of Dai and USDC.” According to the developer, “the complete pool could have been drained if the attacker had a bit more time.”

The incident, once again, raises the question of how safe user assets are on DeFi protocols. However, despite the bad press, many were quick to come to bZx’s defense. According to Aave Protocol Founder Stani Kulechov,

“@bZxHQ incident recently showed that it’s easier forked than done. They had multiple audits, formal verification and took substantial time before coming back to main-net and yet all the diligence does not guarantee safety. Something that every DeFi user should understand.”

Another user commended bZx’s transparency, tweeting,

“I really respect that.
Another hack, but another refund.
Innovation can be costly sometimes, but the team stands strong and protects consumers.
Some will say “that’s DeFi, get rekted”. Not bZx.”

The post bZx hacked again as Duplication bug costs protocol $8M in user deposits appeared first on AMBCrypto.

bZx hacked again as Duplication bug costs protocol $8M in user deposits written by Jibin Mathew George @ September 14, 2020 Jibin Mathew George

Comments are closed.