The question of whether DeFi protocols have been sufficiently secured is one which has gone unanswered thus far as hacking incidents continue to hit various DeFi projects in the space. Plenty of DeFi protocols in the market at present have not yet gone through full audits of their codes, while others have flaws in the code which are easily exploited, such as in the recent Soft yearn.finance (SYFI) case.
This time, however, DeFi protocol bZx has suffered a third hack despite completing several audits with network security firms such as PeckShield and Certik. After two hacking attempts and loss of funds back in February, the team behind bZx were committed to prevent any security breaches from occurring in the future, but the third hack apparently exploited errors in some lines of code that allowed the hackers to duplicate iTokens. This led to a loss of $8 million in assets as the total value locked (TVL) on the protocol suddenly plummeted by 30% on September 14.
According to bZX’s tweets, developers were first alerted to the issue when the TVL began to drop suspiciously. bZx paused lending and unlending temporarily, and fixed the code shortly after, as reflected in bZx’s post-mortem report of the incident. However, despite analysts and other developers claiming that funds were lost in this incident, bZx has reiterated that no funds were at risk.
“Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows. As we have demonstrated before, the system is capable of absorbing black swan events that would otherwise negatively impact lender assets. Thanks to a protocol design that anticipates and accounts for tail events, this incident is surmountable. The debt will be wiped clean and the protocol will move forward unimpeded,” the announcement read.
Marc Thielen, a lead engineer for Bitcoin.com, said in a series of tweets that he tried to alert bZx’s team to the issue, but “none of the founders were up”. He managed to transfer 100 USD to himself in a test, and then noticed that the hacker was continuously able to withdraw funds while the bZx team scrambled to take action, complete with proof of his messages to members of the team.
In spite of bZx’s report and statement stressing that no funds were at risk, the community is not so convinced, with many users worried about the repeated errors in coding.
You may also want to read: Singaporean Man Sentenced to 3 Years Jail & 12 Strokes of Cane in 2018 Bitcoin-Related Scam