Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
In yet another jolt to the decentralized finance (DeFi) community, margin, and leverage-based lending and trading platform, bZx became the target of another hack. In the hack, which was much bigger than the previous attacks, hackers made away with $8 million worth of cryptocurrencies.
bZx Hackers Deal 8 Times More Damage To The DeFi Protocol This Time
DeFi lending protocol bZx was attacked again. This time hackers drained a little more over $8 million worth of cryptocurrencies leveraging a duplication bug that enabled them to make away with 219,199.66 LINK, 4,502.70 ETH, 1,756,351.27 USDT, 1,412,048.48 USDC, 667,988.62 DAI.
bZx team member Anton Bukov shared a thread on Twitter, in which he admitted that a faulty line of code in the smart contract led to hackers initiating a series of iToken duplicating transactions to steal ETH:
We realized that initial source code works incorrectly when â_fromâ equals to â_toâ and leads to funds duplication. We found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated (worth ~4.7K $ETH) // @DuneAnalytics pic.twitter.com/IWodBkGaEq
â Anton Bukov | k06a.eth (@k06a) September 13, 2020
How Did It Happen Exactly?
On delving deeper, bZxâs official incident report reveals that a loophole in the âtransferFrom() functionâ that enables the transfer of ERC20 tokens from one protocol to the other was leveraged by hackers.
It was possible to call this function to create and transfer an iToken to yourself, allowing you to artificially increase your balance.
To be precise:
- Attackers invoked a transfer function with the same _from and _to address of the original function.
- Then they immediately called an â_internalTransferFromâ function with the same set of arguments, making the below lines of code faulty.
This resulted in _balancesFrom _balancesTo being equal.
This, in turn, enabled the attackers to âdecrease the balance of _balancesFrom and increases the balance of _balancesToâ. As per the report:
The user was effectively able to increase his balance artificially.
bZx patched the faulty code after the $8 million theft. The fix has set the âmove of balancesTo being set after the deduction from balances[_from]â effectively preventing anyone from artificially inflating their balance.
The leading DeFi lending protocol went ahead and applied the patch after code auditing firms Certik and Peckshield gave the green light.
Not The First Attack on bZx
It seems this year is not turning out to be a good one for bZx. As CryptoPotato reported, earlier in the month of February, a hacker dealt two consecutive blows and stole a combined $1 million in ETH.
In the first one that happened on February 14, the attacker used different methods in both the attacks. In the first one, he/she borrowed 10,000 ETH from dYdX. Out of the 10,000ETH, 5,500 ETH was used to collateralize a loan for 112 wBTC on Compound.
Then the online robber spent 1,300 ETH to open a 5x leveraged ETH/BTC short position on bZxâs Fulcrum trading platform, while also borrowing 5,637 ETH through Kyberâs. He/she swapped this amount for 51 wBTC, causing a serious slippage.
By swapping the 112 wBTC from Compound to 6,671 ETH and the hacker made a profit of 1,193 ETH, amounting to around $318,000 (considering the prices then).
The second one that took place on February 18 saw the attacker leverage âoracle manipulationâ to game the system and drain around $600,000.
Update: After the article went live, the bZx team announced that theyâve recovered the lost funds.
đą UPDATE:
We are relieved to announce that the missing funds are now restored. More information will follow.
Stay tuned!
â bZx (@bZxHQ) September 14, 2020
The post DeFi Protocol bZx Hacked Again: $8 Million Worth of ETH, LINK, Stablecoins Drained (Updated) appeared first on CryptoPotato.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.