bZx hack: Lost over $8 million due to faulty smart contract code
Decentralized finance (DeFi) lending protocol bZx was hacked once again on the 13th Sept and lost over $8 million due to a faulty code in its smart contracts. This is the third time bZx has been attacked this year. In February, the protocol lost about $945,000 in two attacks.
The latest attack resulted in a sharp 70% decline in bZx’s total value locked to just about $6.3 million. The flawed code allowed an attacker to duplicate assets, or increase their balance of iTokens (interest-bearing tokens of bZx). Hours after noticing the bug, bZx paused minting and burning of iTokens and then unpaused it after a patch was placed that corrected balances for duplications.
The bug in the bZxās smart contract allowed the hacker to mint:
- 219,199.66 LINK
- 4,502.70 ETH
- 1,756,351.27 USDT
- 1,412,048.48 USDC
- 667,988.62 DAI
In the blog post by bZx, the firm said no user funds are at risk as the loss is being covered by its insurance fund.
Despite the protocol which underwent a heavy audit by top security firms Peckshield and Certik, the flawed code allowed the attacker to mint a total of $8.1 million worth crypto tokens.
After the attack was discovered, one of the audit firm Peckshield commented that āOne audit cannot guarantee to find all potential issues, but with continuous work from developers and auditors, we are getting ever closer to the goal of minimizing security risksā.
Recently in July, Ethereum co-founder Vitalik Buterin warned of the dangers of āsmart contract riskā in DeFi protocols. He said, āI think one big one is just that a lot of people are underestimating smart contract riskā, adding that even protocol which undergoes rigorous audits, its smart contract security cannot be guaranteed.
There is a lot of excitement about the interoperability of DeFi protocols, but the security of a system is only as good as the weakest link. Therefore it is recommended that yield farmers evaluate their risk tolerance and accordingly diversify their funds to minimize risk exposure.