Bitcoin
$44,694.77+2.54%
Ethereum
$3,147.61+2.98%
XRP
$0.995440-0.73%
Cardano
$2.25+0.25%
Polkadot
$32.76+3.73%
Stellar
$0.300299+2.50%
Dogecoin
$0.223181-0.69%
Chainlink
$25.34+4.09%
Uniswap
$21.46+0.12%
Algorand
$2.00+6.57%
Polygon
$1.22+0.95%
Cosmos
$42.51+8.19%
Litecoin
$163.02+1.49%
Bitcoin Cash
$550.50+1.32%
Wrapped Bitcoin
$44,699.51+2.38%
Filecoin
$73.91-0.87%
The Graph
$0.728470-0.68%
Tron
$0.098306+0.32%
Ethereum Classic
$50.74-0.60%
Tezos
$6.40+15.90%
Aave
$306.79+2.10%
Monero
$249.89+2.00%
NEO
$43.43+1.34%
EOS
$4.33+0.59%
IOTA
$1.38+1.54%
BitTorrent
$0.003491-0.70%
Bitcoin SV
$145.10-0.79%
Waves
$24.77-0.22%
Maker
$2,495.18-1.24%
Dash
$182.24+3.75%
Decentraland
$0.768607+6.73%
Decred
$120.30+2.75%
ICON
$1.70+2.11%
NEM
$0.161177+2.01%
Zcash
$122.01+0.40%
OmiseGO
$9.67+0.87%
Paxos Standard
$1.01+0.03%
NuCypher
$0.297520+2.09%
Yearn Finance
$31,054.91+1.53%
Qtum
$10.74+0.17%
Bitcoin Gold
$56.70+1.11%
Basic Attention Token
$0.704120+2.64%
0x
$0.975327+1.74%
Fetch.ai
$0.828403+13.87%
Ren
$0.870024+5.36%
Kava.io
$5.92+5.95%
Bancor
$3.69+2.41%
Siacoin
$0.016254+1.20%
Band Protocol
$7.91+1.95%
Nano
$5.14+2.93%
Loopring
$0.410185+0.47%
Civic
$0.529248+24.47%
Storj
$1.17+2.17%
Numeraire
$42.59+0.96%
Lisk
$3.08+0.15%
Orchid
$0.348527-0.13%
PAX Gold
$1,752.24-1.28%
Enzyme
$146.34-5.07%
Augur
$22.81+3.48%
Aragon
$5.18+0.27%
district0x
$0.162474+3.58%
Kyber Network
$1.57+1.62%
SingularDTV
$0.001375+2.58%
Tether
$1.00+0.01%
USD Coin
$1.00-0.01%
Dai
$1.00-0.03%

DeFi Lender bZx Loses $8M in Third Attack This Year

An attacker found a way to mint unbacked iTokens that they could then redeem against other cryptos held in lending pools for DeFi lender bZx.

Sep 14, 2020 at 9:58 a.m. UTC
Updated Sep 14, 2021 at 9:55 a.m. UTC

Decentralized finance (DeFi) protocol bZx has fallen victim to yet another attack after a bug in its code allowed someone to mint tokens they redeemed for cryptocurrencies on the protocol.

  • Co-founder Kyle Kistner told CoinDesk the company noticed something was wrong on Sunday when a single LINK withdrawal led to a $2.6 million drop in the protocol's total value locked (TVL).
  • The attack basically centered around the protocol's interest-earning iToken that users receive and redeem for crypto deposited into lending pools.
  • Kistner said the attacker exploited a bug that tricked bZx into minting unbacked iTokens subsequently exchanged for cryptocurrencies held in the pools.
  • Per an incident report Sunday, the attacker managed to steal just under 220,000 LINK tokens, 4,507 ETH, 1.76 million USDT, 1.4 million USDC and 670,000 DAI.
  • At current spot prices, this works out as a loss of just over $8 million.
  • That's much more than the $630,000 and $350,000 hacks the protocol suffered in February, which both manipulated oracle price feeds in order to pay back bZx loans for far less than the actual amount.
  • bZx paused the protocol in the aftermath of Sunday's attack so the bug could be patched, and resumed operations hours later.
  • Kistner said the decision was taken in consultation with security experts, who had not instructed the company to shut down for any longer.
  • He added the $8 million lost had already been debited by the protocol's insurance fund and will be paid out once the bZx community had ratified it.
  • The bug managed to remain undetected in two extensive code audits from cybersecurity firms Certik and Peckshield.
  • Kistner declined to comment on the identity of the hacker.

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

Loading...