BZx’s decentralized lending protocol has been hacked again. And if earlier the damage did not exceed $ 1 million, then this time the attackers were able to steal cryptocurrencies in the amount of $ 8 million.
For hacking, the hackers used a vulnerability in the iToken code, which allows duplicating these tokens. Attackers stole about 30% of the total amount of users’ funds blocked on the exchange. BZx representatives stressed that the vulnerability was confirmed by Peckshield and Certik, and then fixed by the development team. At the same time, Bitcoin.com lead engineer Marc Thalen said that he had informed the bZx team about the vulnerability before the hack:
“Last night I found a vulnerability in BRZX. I found that users could duplicate iToken, and more than $ 20 million in funds were at risk. I informed the team about this and said that the protocol should be suspended, but it all took a long time. By the time the smart contracts were suspended, the attackers had already exploited the vulnerability. I am sure that if the hackers had more time, they would have completely withdrawn users’ funds from the exchange. “
The new bZx hack raises the question of the security of the Decentralized Finance (DeFi) industry again. Aave CEO Stani Kulechov emphasized that despite many security audits after the first hacks, vulnerabilities still appear in the project. Users of decentralized applications need to keep this in mind. As a reminder, the bZx protocol was hacked twice in mid-February. The first time the attackers stole $ 345,000 worth of cryptocurrencies, and the second time, they stole $ 645,000.