Decentralized finance (DeFi) protocol bZx has fallen victim to yet another attack after a bug in its code allowed someone to mint tokens they redeemed for cryptocurrencies on the protocol.
- Co-founder Kyle Kistner told CoinDesk the company noticed something was wrong on Sunday when a single LINK withdrawal led to a $2.6 million drop in the protocol's total value locked (TVL).
- The attack basically centered around the protocol's interest-earning iToken that users receive and redeem for crypto deposited into lending pools.
- Kistner said the attacker exploited a bug that tricked bZx into minting unbacked iTokens subsequently exchanged for cryptocurrencies held in the pools.
- Per an incident report Sunday, the attacker managed to steal just under 220,000 LINK tokens, 4,507 ETH, 1.76 million USDT, 1.4 million USDC and 670,000 DAI.
- At current spot prices, this works out as a loss of just over $8 million.
- That's much more than the $630,000 and $350,000 hacks the protocol suffered in February, which both manipulated oracle price feeds in order to pay back bZx loans for far less than the actual amount.
- bZx paused the protocol in the aftermath of Sunday's attack so the bug could be patched, and resumed operations hours later.
- Kistner said the decision was taken in consultation with security experts, who had not instructed the company to shut down for any longer.
- He added the $8 million lost had already been debited by the protocol's insurance fund and will be paid out once the bZx community had ratified it.
- The bug managed to remain undetected in two extensive code audits from cybersecurity firms Certik and Peckshield.
- Kistner declined to comment on the identity of the hacker.