bZx had relaunched just two weeks ago, highlighting its increased focus on security after attackers were able to make $900k in two exploits earlier this year. Last night, it was exploited once more.
The hacker was able to duplicate tokens received in exchange for deposits in the protocol, called iTokens, and then use those iTokens to withdraw more funds than they had initially deposited. The attack yielded about 219k LINK, 4.5k ETH, 1.8M USDT, 1.4M USDC, and 668k DAI, or about $8M in tokens.
The bZx team was able to cover the stolen funds with its own insurance fund, which is made up of the project’s token treasury and cash flows, and in a statement said “the protocol will move forward unimpeded.”
The BZRX token is up 3.8% from yesterday, in line with the rest of the crypto market, but it’s lost more than 60% in the past two weeks, according to CoinGecko.
“We are grateful that our precautions and system design are capable of resolving incidents like this without issue,” the blog post said.
No Big Deal
Some in the Ethereum community were perplexed by the team’s apparently nonchalant attitude after losing around 30% of total value locked in its smart contracts to yet another hack. Additionally, Bitcoin.com engineer Marc Thalen said in a tweet he alerted the team to the hack hours before they responded.
“Please, please pause operations until this can be re-audited and thoroughly analyzed–instead of saying ‘no big deal,” Compound Finance founder Robert Leshner said in a tweet.
Harder to Secure
bZx, which upgraded its protocol after the February hacks, had security firms Peckshield and Certix audit the code and it also performed “extensive automated testing,” according to its post mortem. The post also said the scope and ambition of the protocol make it harder to secure than others.
And yet, “all the diligence does not guarantee safety,” Aave’s Stani Kulechov said. “Something that every DeFi user should understand.”