DeFi platform bZx exploited for $8.1 million

The DeFi platform bZx was exploited for $8.1 million on September 13th, marking the third time in 2020 that bZx has been exploited. 

How the bZx exploit happened

The bZx team noticed that there had been an exploit when a single withdrawal resulted in a significant drop in their Total Value Locked. Afterward, they discovered that there was a bug in their protocol that tricked the platform into minting unbacked iTokens, which are bZx’s interest accumulating tokens. The bug allowed the attacker to duplicate their tokens by minting unbacked iTokens into their account and then withdrawing them, which led to a 219,199.66 LINK, 4,502.70 ETH, 1,756,351.27 USDT, 1,412,048.48 USDC, and 667,988.62 DAI loss for bZx.

Upon noticing the exploit, the bZx team paused minting and burning of iTokens but later resumed those operations once the bug had been patched. The team also debited the loss from the protocol’s insurance fund.

How did the bug go unnoticed?

Hours before the exploit took place, Marc Thalen, lead engineer at Bitcoin.com, warned the bZx team of the attack vector.

1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu

— 0xCommodity (@0xCommodity) September 14, 2020

At the time, all members of the bZx team were asleep, and by the time they woke up, the bug that Thalen warned about had been exploited by the attacker.

3/4 After a while the admin I was talking to told me that he finally got a hold of the team and was passing the info I was giving them through to them. At this point the attacker I noticed had drained substantial amounts of Dai and USDC pic.twitter.com/s2G5oWCxgC

— 0xCommodity (@0xCommodity) September 14, 2020

This is the third time this year that bZx has been exploited. In February,bZx was exploited twice, for $350,000 and $650,000 (both in ETH), respectively.

In every attack, bZx was neither hacked nor breached, instead, an individual with a strong understanding of howthe bZx protocol worked was able to take advantage of its inner workings to generate hundreds of thousands, and now millions of dollars for themseves.

Which makes it a good time for us to remind you that the entire DeFi ecosystem is built on shaky ground. bZx had an insurance fund and was able to replenish their losses; however, not every DeFi platform has an insurance fund.Several DeFi exploits have taken place in 2020 and we are beginning to seeDeFi token projects exit scamand pull the rug on their ecosystem. When it comes to DeFi, it is best to proceed with caution, and if you don’t understand how an investment works, then it is better not to invest at all.