DeFi Platform bZx Loses Collateral After $8 Million Token Duplication Incident
September 14th, 2020
Crypto collateral on DeFi lending platform bZx has dropped to its lowest level for over a year as a token duplication incident resulted in an emergency code patch and resetting of user balances.
Another technical glitch has created problems for DeFi lending protocol bZx. The team responded with a breakdown of events, reassuring borrowers and lenders that ‘no funds are at risk’.
A vulnerability in a token transfer function made it possible for users to call this function to create and transfer pool tokens, called iTokens on this platform, to themselves artificially inflating their balance.
The official iToken duplication incident report is out.
Read more here https://t.co/Cq3O9UXgUF
— bZx (@bZxHQ) September 14, 2020
This resulted in a debt accruing in the protocol insurance fund, however, it was designed to absorb it. The team stated that the debt will be wiped clean and the protocol will move forward unimpeded. A new version of the affected iToken smart contracts was deployed with the balances corrected for duplications, it added.
Blockchain security firm Peckshield Inc. audited the code, finding and fixing a number of issues.
“We’d like to show our support and confidence with @bZxHQ, one of the most audited protocols in #DeFi. During our audit, several issues were discovered and fixed.”
DeFi developer Marc Thalen posted on how he discovered the vulnerability and alerted the team before millions of dollars were pilfered.
1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu
— Marc Thalen (@MarcThalen) September 14, 2020
Compound Finance founder, Robert Leshner, was of the opinion that bZx have taken things too lightly;
If I understand correctly, bZx lost:
Please, please pause operations until this can be re-audited and thoroughly analyzed–instead of saying “no big deal”.
This is NOT how you respond to a hack https://t.co/CqZltmNt1o
— Leshner (@rleshner) September 14, 2020
“The protocol is deeply insolvent, and they are relying on sweet-talking users into thinking it’s OK.”
According to Defipulse, collateral on the protocol has dumped to its lowest level for over a year at below $500k.
This is a loss of over 97% from its all-time high of almost $20 million TVL in February 2020.
Not The First Time …
bZx has been there before, back in February the protocol was exploited twice to the tune of almost a million dollars when malicious actors carried out flash loans to make off with huge profits in ETH at the time.
Cinneamhain Ventures partner Adam Cochran pointed out that proper auditing is the way forward:
“This is there third major exploit, right? Even if they are covering funds, it’s way cheaper to get a few good audits done…”
At the time of writing the platform’s native token, BZRX had slumped 33% on the day down to $0.44 according to Coingecko.com.