DeFi platform bZX sees new $8M hack from one misplaced line of code

Published at: Sept. 14, 2020

The Fulcrum DeFi protocol developed by bZX, which had recently relaunched after a series of hacks in February forced the team to regroup, was hacked once again to the tune of about $8 million.

According to the incident disclosure by bZX, the culprit is one line of code placed at the wrong location in the contract for its “iTokens,” the token representing a user’s share in the pool of supplied assets — essentially a tokenized deposit balance.

A fix was quickly deployed to prevent further occurrences. As Anton Bukov, chief technology officer at 1inch.exchange highlighted, the fix simply moved one line of code several positions below.

The bug duplicated tokens when a user sent a transaction to themselves through a particular function. Under the hood, the contract simply subtracts the value of the transaction from the sender’s and adds it to the receiver’s. The contract created temporary variables representing the initial balances of the sender and receiver, and used those to update them.

In the case when the receiver and the sender are the same, however, the subtraction occured after the initial balance variables were set. This meant that the subtraction had no effect, so the attackers could simply create new tokens at will.

The duplicated tokens were then redeemed for their underlying collateral, with the hackers now “owning” a much higher percentage of the pool that let them drain 219,199.66 LINK, 4,502.70 Ether (ETH), 1,756,351.27 Tether (USDT), 1,412,048.48 USD Coin (USDC) and 667,988.62 Dai (DAI) — a total of $8 million in value.

The bZX team told Cointelegraph that the hacker returned the money on Monday, saying, “The attacker was tracked and identified due to their on-chain activity, he came forward shortly after this and returned the funds stolen.”

Past experience led bZX to create an insurance fund to cover for these “black swan events,” and the stolen coins were thus debited on the fund, which receives 10% of the protocol’s revenue through interest rates. Nevertheless, the Fulcrum protocol was left with just $6 million in total value locked after the incident.

Repaying that debt may thus require a significant amount of time, and is predicated on the protocol achieving success despite suffering these bugs. The bZX team made a hard commitment to secure practices with multiple audits from Certik and PeckShield, as well as a reinvigorated bug bounty program.

That appears to have been insufficient, which highlights that creating a secure DeFi protocol is harder than it may seem.

Update, 16:30 UTC: The article was updated with additional developments in the story.

Tags
Technology
Blockchain
Defi
Hacks
Related Posts
‘DeFi done right’: Layer-one protocol launches mainnet
A decentralized finance protocol has launched its mainnet — describing it as a crucial step on the journey to a frictionless financial future. Radix, which describes itself as a platform for smart money, is also launching Instapass with its Olympia mainnet — an optional user and developer service that delivers the world’s first single sign-on solution for building compliant DeFi. The Radix mainnet is being positioned as a generational improvement in the history of decentralized ledger computing — and one that delivers 100 times more executional efficiency than the Ethereum Virtual Machine. This comes hot on the heels of the …
Decentralization / July 29, 2021
The importance of decentralized oracles: Interview with Sergey Nazarov
Chainlink co-founder Sergey Nazarov believes that increasing the decentralization and scalability of oracle technologies are key to ensure trust in the DeFi ecosystem. Oracles play a key role in the correct functioning of DeFI protocols by connecting them to real-world data. However, the trustworthiness of oracles becomes compromised in instances where they rely on a single data source to retrieve information. For instance, according to Nazarov, excessively centralized oracles enabled five recent flash loan attacks, which resulted in DeFi protocols losing around $40 million. Flash loans, a form of loan that does not require any collateral, can be used to …
Decentralization / Dec. 19, 2020
The unluckiest DeFi protocol? A personal take on bZX’s tumultuous year
Decentralized finance platform bZX has frequently been in the spotlight this year, only not for the right reasons. Most DeFi platforms popular today, including bZX, began their journey around 2018, at the tail-end of the initial coin offering boom. In 2019, DeFi started gaining traction, though it was still a somewhat ignored sector of the industry. As growth continued, suspicions began to rise that major hacks, typical of the digital asset sector, were overdue. Due to the complexity and novelty of these platforms, it was reasonable to assume that not all of them were impervious to bugs. This year can …
Technology / Oct. 24, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Report: GALA token exploit resulted from public leak of private key on GitHub
According to a new post by blockchain security firm SlowMist on Nov. 7, it appears that the last week’s token exploit affecting GameFi project Gala Games resulted from a public leak of applicable security keys on GitHub. As told by SlowMist, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB Smart Chain, had three privileged roles in its smart contract pGALA. “The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE ), and the …
Technology / Nov. 7, 2022