Bitcoin
$42,629.50-9.80%
Ethereum
$2,951.61-11.26%
XRP
$0.912654-12.47%
Cardano
$2.06-10.06%
Polkadot
$27.81-17.15%
Stellar
$0.279563-10.95%
Dogecoin
$0.205875-11.42%
Chainlink
$23.28-14.83%
Uniswap
$20.57-13.42%
Polygon
$1.12-14.52%
Litecoin
$155.49-11.19%
Bitcoin Cash
$535.48-12.25%
Cosmos
$33.49-22.15%
Wrapped Bitcoin
$42,596.02-9.73%
Algorand
$1.64-16.86%
Filecoin
$73.83-11.30%
The Graph
$0.692809-14.48%
Tron
$0.091041-11.84%
Ethereum Classic
$48.85-11.78%
Aave
$287.94-15.12%
Tezos
$5.20-20.62%
Monero
$230.73-11.22%
NEO
$41.10-14.58%
EOS
$4.15-15.96%
IOTA
$1.29-15.68%
BitTorrent
$0.003308-13.42%
Bitcoin SV
$133.19-14.24%
Maker
$2,404.95-12.67%
Waves
$22.75-16.73%
Dash
$167.88-12.64%
Decred
$122.13-12.44%
ICON
$1.62-9.85%
Decentraland
$0.669381-15.85%
OmiseGO
$10.21+6.33%
NEM
$0.152261-14.55%
Zcash
$117.46-11.87%
Qtum
$10.34-14.86%
Yearn Finance
$29,153.86-11.38%
Paxos Standard
$1.00+0.79%
NuCypher
$0.272310-15.92%
Bitcoin Gold
$54.39-14.73%
Basic Attention Token
$0.644800-12.13%
0x
$0.901707-14.41%
Bancor
$3.48-11.78%
Fetch.ai
$0.666478-13.13%
Band Protocol
$7.51-15.59%
Ren
$0.743272-16.17%
Siacoin
$0.015167-15.51%
Kava.io
$5.09-15.33%
Nano
$4.74-14.31%
Loopring
$0.397405-12.20%
Storj
$1.13-15.40%
Numeraire
$38.90-13.54%
Lisk
$2.94-17.64%
Civic
$0.413756-17.00%
Orchid
$0.335659-8.42%
PAX Gold
$1,772.21+0.49%
Augur
$21.75-14.32%
Aragon
$4.89-16.85%
Enzyme
$101.69-15.37%
district0x
$0.150387-13.78%
Kyber Network
$1.48-15.32%
SingularDTV
$0.001341-5.42%
Tether
$0.999950-0.03%
USD Coin
$1.00+0.01%
Dai
$1.00-0.03%

DeFi Lender bZx Loses $8M in Third Attack This Year

An attacker found a way to mint unbacked iTokens that they could then redeem against other cryptos held in lending pools for DeFi lender bZx.

Sep 14, 2020 at 9:58 a.m. UTC
Updated Sep 14, 2021 at 9:55 a.m. UTC

Decentralized finance (DeFi) protocol bZx has fallen victim to yet another attack after a bug in its code allowed someone to mint tokens they redeemed for cryptocurrencies on the protocol.

  • Co-founder Kyle Kistner told CoinDesk the company noticed something was wrong on Sunday when a single LINK withdrawal led to a $2.6 million drop in the protocol's total value locked (TVL).
  • The attack basically centered around the protocol's interest-earning iToken that users receive and redeem for crypto deposited into lending pools.
  • Kistner said the attacker exploited a bug that tricked bZx into minting unbacked iTokens subsequently exchanged for cryptocurrencies held in the pools.
  • Per an incident report Sunday, the attacker managed to steal just under 220,000 LINK tokens, 4,507 ETH, 1.76 million USDT, 1.4 million USDC and 670,000 DAI.
  • At current spot prices, this works out as a loss of just over $8 million.
  • That's much more than the $630,000 and $350,000 hacks the protocol suffered in February, which both manipulated oracle price feeds in order to pay back bZx loans for far less than the actual amount.
  • bZx paused the protocol in the aftermath of Sunday's attack so the bug could be patched, and resumed operations hours later.
  • Kistner said the decision was taken in consultation with security experts, who had not instructed the company to shut down for any longer.
  • He added the $8 million lost had already been debited by the protocol's insurance fund and will be paid out once the bZx community had ratified it.
  • The bug managed to remain undetected in two extensive code audits from cybersecurity firms Certik and Peckshield.
  • Kistner declined to comment on the identity of the hacker.

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

Loading...