Decentralized finance (DeFi) protocol bZx has fallen victim to yet another attack after a bug in its code allowed someone to mint tokens they redeemed for cryptocurrencies on the protocol.
- Co-founder Kyle Kistner told CoinDesk the company noticed something was wrong on Sunday when a single LINK withdrawal led to a $2.6 million drop in the protocol's total value locked (TVL).
- The attack basically centered around the protocol's interest-earning iToken that users receive and redeem for crypto deposited into lending pools.
- Kistner said the attacker exploited a bug that tricked bZx into minting unbacked iTokens subsequently exchanged for cryptocurrencies held in the pools.
- At current spot prices, this works out as a loss of just over $8 million.
- bZx paused the protocol in the aftermath of Sunday's attack so the bug could be patched, and resumed operations hours later.
- Kistner said the decision was taken in consultation with security experts, who had not instructed the company to shut down for any longer.
- He added the $8 million lost had already been debited by the protocol's insurance fund and will be paid out once the bZx community had ratified it.
- The bug managed to remain undetected in two extensive code audits from cybersecurity firms Certik and Peckshield.
- Kistner declined to comment on the identity of the hacker.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.