DeFi protocol bZx attacked once again, lost $8 million due to a faulty code


Decentralized finance (DeFi) lending protocol bZx was attacked once again last night and lost a little over $8 million due to a faulty code in its smart contracts.

The flawed code allowed an attacker to duplicate assets, or increase their balance of iTokens (interest-bearing tokens of bZx). Hours after noticing the bug, bZx paused minting and burning of iTokens and then unpaused it after a fix that corrected balances for duplications.

The bug allowed the hacker to mint 219,200 LINK tokens (worth about $2.6 million), 4,503 ETH (~$1.6 million), 1,756,351 USDT (~$1.7 million) 1,412,048 USDC (~$1.4 million) and 667,989 DAI (~$680,000). That is $8 million in total. bZx said no user funds are at risk as the loss is being covered by its insurance fund. 

Marc Thalen, a lead engineer at, claims to have initially identified the bug. He said there more than $20 million of bZx funds were at risk. Thalen himself tried the exploit out and created a loan using USDC (100 USD). “From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD,” said Thalen. 

bZx co-founder Kyle Kistner told The Block that “it’s difficult to say” how this “critical” bug went unidentified by the protocol’s two audit firms Peckshield and Certik. The firms are preparing internal root cause analyses, said Kistner.

Peckshield said, “one audit cannot guarantee to find all potential issues,” but with continuous work, it is getting closer to the goal of minimizing security risks. Certik said, “security is a journey.”

Some industry experts want bZx to halt operations and re-audit its protocol. However, Kistner told The Block that bZx security auditors “did not recommend such a course of action.”

This is the third time bZx has been attacked this year. In February, the protocol lost about $945,000 in two attacks.

Sunday’s attack has resulted in a sharp 70% decline of bZx’s total value locked (TVL) to just about $6.3 million. Kistner told The Block that “things change very quickly in this [DeFi] space,” referring to a possible upswing.

When asked how bZx plans to strengthen users’ trust amid attacks, Kistner told The Block: “We want to create products and incentive structures so attractive that users are essentially forced to use us regardless of how they feel about our brand.”

© 2020 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

DeFi protocol bZx attacked once again, lost $8 million due to a faulty code written by Yogita Khatri @ September 14, 2020 Yogita Khatri

Comments are closed.