CryptoPotato
CryptoPotato
  • Crypto News
  • Margin Trading
  • Guides
    • Bitcoin & Crypto Guides 101
    • Bitcoin For Beginners
    • Editorials
  • DeFi & NFT
  • Buy
  • Language
  • Crypto News
  • Bitcoin For Beginners
  • Cryptocurrency Guides 101
  • Editorials
  • Bitcoin & Crypto Margin Trading
  • DeFi & NFT News
  • Bitcoin Price Analysis
  • CryptoPotato Crypto Fund
  • Ethereum (ETH) Price Analysis
  • Ripple (XRP) Price Analysis
  • Market Updates
  • Interviews
  • Buy Bitcoin with Card
  • bitcoin
    BTC$26,508.00
  • ethereum
    ETH$1,589.71
    • Market Updates
    • BTC Analysis
    • ETH Analysis
    • XRP Analysis
    • Interviews
    • Opinions
    CryptoPotato
    CryptoPotato
    • Crypto News
    • Margin Trading
    • Guides
      • Bitcoin & Crypto Guides 101
      • Bitcoin For Beginners
      • Editorials
    • DeFi & NFT
    • Buy
    • Language
    • Crypto News
    • Bitcoin For Beginners
    • Cryptocurrency Guides 101
    • Editorials
    • Bitcoin & Crypto Margin Trading
    • DeFi & NFT News
    • Bitcoin Price Analysis
    • CryptoPotato Crypto Fund
    • Ethereum (ETH) Price Analysis
    • Ripple (XRP) Price Analysis
    • Market Updates
    • Interviews
    • Buy Bitcoin with Card
    Home » Crypto News » DeFi Protocol bZx Hacked Again: $8 Million Worth of ETH, LINK, Stablecoins Drained (Updated)

    DeFi Protocol bZx Hacked Again: $8 Million Worth of ETH, LINK, Stablecoins Drained (Updated)

    Author: Himadri Saha

    Last Updated Feb 24, 2023 @ 21:34

    In yet another full-blown attack, hackers made away with crypto funds worth more than $8 million from DeFi lending protocol bZx.

    In yet another jolt to the decentralized finance (DeFi) community, margin, and leverage-based lending and trading platform, bZx became the target of another hack. In the hack, which was much bigger than the previous attacks, hackers made away with $8 million worth of cryptocurrencies.

    bZx Hackers Deal 8 Times More Damage To The DeFi Protocol This Time

    DeFi lending protocol bZx was attacked again. This time hackers drained a little more over $8 million worth of cryptocurrencies leveraging a duplication bug that enabled them to make away with 219,199.66 LINK, 4,502.70 ETH, 1,756,351.27 USDT, 1,412,048.48 USDC, 667,988.62 DAI.

    bZx team member Anton Bukov shared a thread on Twitter, in which he admitted that a faulty line of code in the smart contract led to hackers initiating a series of iToken duplicating transactions to steal ETH:

    We realized that initial source code works incorrectly when “_from” equals to “_to” and leads to funds duplication. We found 9 exploiting transactions on $iETH lending token with 101778 $iETH tokens duplicated (worth ~4.7K $ETH) // @DuneAnalytics pic.twitter.com/IWodBkGaEq

    — Anton Bukov | k06a.eth (@k06a) September 13, 2020

    How Did It Happen Exactly?

    On delving deeper, bZx’s official incident report reveals that a loophole in the ‘transferFrom() function’ that enables the transfer of ERC20 tokens from one protocol to the other was leveraged by hackers.

    It was possible to call this function to create and transfer an iToken to yourself, allowing you to artificially increase your balance.

    To be precise:

    • Attackers invoked a transfer function with the same _from and _to address of the original function.
    • Then they immediately called an ‘_internalTransferFrom’ function with the same set of arguments, making the below lines of code faulty.

    faulty bZx smart contract code

    This resulted in _balancesFrom _balancesTo being equal.

    faulty bZx smart contract code 2

    This, in turn, enabled the attackers to ‘decrease the balance of _balancesFrom and increases the balance of _balancesTo’. As per the report:

    The user was effectively able to increase his balance artificially.

    bZx patched the faulty code after the $8 million theft. The fix has set the ‘move of balancesTo being set after the deduction from balances[_from]’ effectively preventing anyone from artificially inflating their balance.

    bZx smart contract code fix

    The leading DeFi lending protocol went ahead and applied the patch after code auditing firms Certik and Peckshield gave the green light.

    Not The First Attack on bZx

    It seems this year is not turning out to be a good one for bZx. As CryptoPotato reported, earlier in the month of February, a hacker dealt two consecutive blows and stole a combined $1 million in ETH.

    In the first one that happened on February 14, the attacker used different methods in both the attacks. In the first one, he/she borrowed 10,000 ETH from dYdX. Out of the 10,000ETH, 5,500 ETH was used to collateralize a loan for 112 wBTC on Compound.

    Then the online robber spent 1,300 ETH to open a 5x leveraged ETH/BTC short position on bZx’s Fulcrum trading platform, while also borrowing 5,637 ETH through Kyber’s. He/she swapped this amount for 51 wBTC, causing a serious slippage.

    By swapping the 112 wBTC from Compound to 6,671 ETH and the hacker made a profit of 1,193 ETH, amounting to around $318,000 (considering the prices then).

    The second one that took place on February 18 saw the attacker leverage ‘oracle manipulation’ to game the system and drain around $600,000.

    Update: After the article went live, the bZx team announced that they’ve recovered the lost funds.

    📢 UPDATE:

    We are relieved to announce that the missing funds are now restored. More information will follow.

    Stay tuned!

    — bZx (@bZxHQ) September 14, 2020

     

    The article was first published on: Sep 14, 2020

    SPECIAL OFFER (Sponsored)
    Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).

    PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO50 code to receive up to $7,000 on your deposits.

    You Might Also Like:

    • 4 Things That Could Cause the DeFi Bubble to Pop
    • hack_attack
      Breaking: DeFi Protocol Harvest Finance Attack Targeting Liquidity Pools
    • synthetix_cover
      Unraveling DeFi: An Interview With Synthetix About How Synths Work
    Tags: DeFi Hacking
    Enjoy reading? Share with your friends
    Facebook Twitter LinkedIn Telegram

    About The Author

    Himadri Saha
    More posts by this author

    Himadri’s love affair with cryptocurrencies began in 2016. Since then he has been a vocal proponent of crypto as a robust investment alternative to traditional options. Himadri believes that art and code can redefine the way we look at life. Contact Himadri: LinkedIn

  • bitcoin
    BTC$26,508.00
  • ethereum
    ETH$1,589.71
  • Join Our Community

    FacebookTwitter YouTubeTelegram


    Editorials
    Quantstamp’s CEO: Here’s Why ‘Audited By’ for Crypto Security in 2023 is Not Enough (Interview)

    Quantstamp’s CEO: Here’s Why ‘Audited By’ for Crypto Security in 2023 is Not Enough (Interview)

    Deep Dive into Ethereum: What Changed A Year Post-Merge?

    Deep Dive into Ethereum: What Changed A Year Post-Merge?

    The Reports of Friend.tech Death Have Been Greatly Exaggerated (Opinion)

    The Reports of Friend.tech Death Have Been Greatly Exaggerated (Opinion)

    Exploring PayPal’s Foray into Cryptocurrency: A Game-Changer in Digital Finance

    Exploring PayPal’s Foray into Cryptocurrency: A Game-Changer in Digital Finance

    DeFi Without Native Rights Is Dead

    DeFi Without Native Rights Is Dead

    How Does the Shiba Inu (SHIB) Burn Work: Everything You Need to Know

    How Does the Shiba Inu (SHIB) Burn Work: Everything You Need to Know

    Crypto Will Go Away If There’s No Privacy: Interview With Anoma and Namada’s Adrian Brink

    Crypto Will Go Away If There’s No Privacy: Interview With Anoma and Namada’s Adrian Brink

    Join Our Newsletter
    Become a CryptoPotato VIP
    One Weekly Email Can Change Your Crypto Life.
    Sign-up FREE to receive our extended weekly market update and coin analysis report
    We NEVER send spam. You can unsubscribe at any time.
    Invalid email address
    Thanks for subscribing!
    Footer Logo
    About
    Advertise on CryptoPotato
    About Us | Contact Us | Careers
    Editorial Policy
    Terms of service | Privacy Policy | GDPR
    More Sections
    IEO List | Evaluations
    Airdrops
    Scholarship
    Disclaimer
    Disclaimer: Information found on CryptoPotato is those of writers quoted. It does not represent the opinions of CryptoPotato on whether to buy, sell, or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk. Full disclaimer
    © Copyright CryptoPotato 2016 - 2021
    Scroll to top
    One Weekly Email Can Change Your Crypto Life.

    Sign-up FREE to receive our extended weekly market update and coin analysis report

    We never send SPAM. You can unsubscribe at any moment
    Invalid email address
    Thanks for subscribing!