bZx Recovers $8.1M Lost in Third Exploit
Will a third exploit spell the end of bZx, or can the protocol bounce back for the fourth time?
- bZx marked it's third exploit of 2020, losing $8.1 million of funds to a vulnerability in the code.
- The BZRX token fell by 30% in the aftermath of the incident, as the burden of the loss was shifted to the insurance fund.
- bZx's fate rests with the broader DeFi community and whether they decide to return to the protocol as users.
Share this article
Less than two weeks after re-deploying on mainnet, bZx was exploited for $8.1 million of LINK, ETH, and stablecoins. The incident caused the BZRX token to fall over 30%, as the value of the token secures protocol deficits.
Shortly after the exploit, however, the team confirmed that they had tracked the attacker down and have recovered the lost funds.
How Many Times Is Too Many?
Earlier this year, the team behind bZx paused the protocol after two consecutive hacks caused a mass outflow of capital. Promising to come back stronger, bZx built a new iteration of the product over six months. The protocol was finally deployed again on Sept. 2.
In less than two weeks, and bZx had been attacked once again.
This time, however, the loss is exceptionally higher than before. Given prevailing prices at the time of the hacks, bZx had been previously exploited for $330,000 and $640,000, respectively.
The latest hack saw $8.1 million of customer funds lost.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc (@0x000000000marc) September 14, 2020
bZx’s iToken’s were deployed with a bug that allowed users to increase their balances artificially. The platform’s sustained losses were as follows:
- 219,199.66 LINK ($2.61 million)
- 4,502.70 ETH ($1.65 million)
- 1,756,351.27 USDT
- 1,412,048.48 USDC
- 667,988.62 DAI
The insurance fund will bear the liability for these losses. Since the BZRX token derives a portion of its value from the insurance fund, its price tanked 31% yesterday.
BZRX is down 74% since peaking on Aug. 31.
Even after writing new code, employing fresh audits, and coming back to mainnet, bZx cannot seem to catch a break – and neither can their investors.
So @bZxHQ admins updated their tokens to unverified implementation with a backdoor that allows them to burn funds of any user. Then after burning funds of some users involved in hack, they updated to a normal implementation with bugfix. https://t.co/9529Ao93ly
— Roman Semenov in Amsterdam 🌪️ 🇺🇦 (@semenov_roman_) September 13, 2020
In a blog post dissecting the incident, bZx attributed the multiple hacks to the protocol being “the most powerful, fully functioned lending protocol in the space, and this means that there is a lot of code to cover.”
Smart contracts are challenging, but suffering three exploits in seven months is absurd.
The fate of bZx is now solely in the hands of the DeFi community. Whether users will return to the protocol remains to be seen.
Editor’s update [28.10.2020, 09H50 UTC]: This article has been updated to show that the bZx team has recovered the lost funds in question.