DeFi protocol bZx has fallen victim to one more attack after a bug within its code permitted someone to mint tokens they redeemed for crypto assets on the protocol.
Co-founder Kyle Kistner revealed that the firm noticed something was wrong earlier on Sunday when one LINK withdrawal led to a $2.6 Mln drop by the protocol’s TVL [total value locked].
The attack basically centered around the protocol’s interest-earning iToken that users receive and redeem for crypto deposited into lending pools.
Kistner added the attacker exploited a bug that tricked bZx into minting unbacked iTokens subsequently exchanged for cryptocurrencies held within the pools.
As per the official report, the attacker managed to steal slightly over 220k LINK tokens, 4,507 ETH, 1.76 Mln USDT, 1.4 Mln USDC and 670k DAI.
At the present prices, this works out as a loss of just over $8 Mln. That’s far more than the $630k & $350k hacks the protocol suffered earlier in the month of February, that both manipulated oracle price feeds so as to pay back bZx loans for a price much lower than the particular amount.
bZx paused the protocol within the aftermath of Sunday’s attack so that the bug could be fixed, & resumed operations hours later.
Kistner added that the choice was taken in consultation with security experts, who had not instructed the firm to pack up for any longer.
Adding further, he added that the $8 Mln lost had already been debited by the protocol’s insurance fund and can be paid out once the bZx community had ratified it.
The bug managed to stay undetected in two extensive code audits from cybersecurity firms Certik as well as Peckshield.
However, at the reporting time, Kistner has declined to discuss the identity of the hackers for now.