42 total views
The bZx protocol was attacked again, with a total loss of more than 8 million assets. On the other hand, the effective coverage of the decentralized insurance Nexus Mutual exceeded US$200 million, doubling the previous day.
Written by: Zhang Gaijuan
Yesterday, the DeFi lending agreement bZx was attacked for the third time in a year. Due to the code duplication accident, a total of more than 8 million assets were lost. This is less than two weeks from the deployment of the new version of BZx. Affected by this, the bZx token BZRX has fallen nearly 30% in the past 24 hours , from 0.6679USDT to 0.4 USDT, and temporarily reported 0.44USDT at the time of posting.
BZRX 30-minute candlestick chart, source: Binance
At the same time, the bZx lock-up volume plummeted by 99.71% from yesterday , almost to zero, and is currently only $176.
At around 3:30 pm on September 14th, Beijing time, bZx found that its total locked-up value (TVL) of the agreement had dropped significantly. After about 3 hours, bZx confirmed that multiple iTokens had repeated accidents, that is, the _internalTransferFrom() function in the iToken contract had abnormal behavior. The attacker used the same _from and _to addresses to call the transfer function. After confirming the problem, bZx immediately suspended the lending operation.
bZx said that the current abnormal behavior of the function has been repaired and the protocol has resumed normal operation. Borrowing and transactions are not affected, and users will not be subject to capital risks. bZx has also deployed a new version of the iToken contract and reset the balance for repeated incidents. The repaired code has been sent to blockchain security companies Peckshield and Certik for review. At present, the casting and destruction of iToken has been resumed.
The information disclosed by bZx shows that the following debts have been added to its insurance fund after the occurrence of this repeated accident, including nearly 220,000 LINK, 4,502 ETH, 1,756,400 USDT, 1.412 million USDC, and 668,000 DAI. At current prices, the total The value is more than 8 million US dollars , as follows:
- 219,199.66 LINK
- 4,502.70 ETH
- 1,756,351.27 USDT
- 1,412,048.48 USDC
- 667,988.62 DAI
Robert Leshner, the founder of the decentralized lending protocol Compound, said that this means that bZx has lost more than 8 million worth of assets, and suggested that bZx re-audit the contract instead of just saying “no big deal” to users.
In response to the attack on the bZx protocol, Bitcoin.com chief engineer Marc Thelan stated that he discovered the vulnerability in bZx last night, and assets worth more than 20 million US dollars are in danger. Marc Thelan stated that it notified the bZx team of the vulnerability, but the team responded too slowly. By the time the bZx team learned of the vulnerability, the attackers had almost exhausted Dai and USDC assets. If the attacker has more time, the entire pool may be exhausted. One of the founders of bZx stated in the telegram group that the team’s security team recommended a $12,500 bounty to Marc Thelan.
Anton Bukon, the co-founder of 1inch, also discovered the vulnerability before. He said, “We discovered that someone used the vulnerability two days ago to increase their balance to 153.6 million iUSDT and began to transfer from the USDT pool until the bZx agreement. The administrator destroyed 151.9 million iUSDT, which shows that 1.7 million USDT appears to have been stolen.”
Regarding the bZx protocol administrator destroying iUSDT, Ethereum developer Roman Semenov explained that the bZx protocol administrator used a backdoor that allowed it to destroy any user funds, and then updated the token’s implementation status to unverified. After destroying some user funds involved in the attack, they again updated it to the normal implementation after the vulnerability was fixed.
bZx further explained that the protocol has previously been audited by blockchain security companies Peckshield and Certik, and conducted a large number of automated tests, but passing the audit does not ensure that the protocol is 100% secure. Peckshield and Certik are analyzing the root cause of this incident.
Frequent attacks on DeFi projects stimulate demand for decentralized insurance
In fact, this is not the first time the bZx protocol has been attacked. In mid-February this year, the bZx protocol was attacked twice, with a total loss of more than 900,000 assets. In the middle of the month, bZx co-founder Kyle Kistner stated, “Part of the ETH has been lost. This incident was caused by the use of a contract, and the other funds were safe.” According to estimates by industry insiders, the amount of this loss was approximately US$350,000 .
Three days later (February 18), bZx was attacked again. bZx stated that it discovered another suspicious transaction using lightning loans. The attacker subsequently used Synthetix transactions, but the Synthetix system was not affected.
In addition to bZx, with the recent increase in DeFi popularity, security issues have become the biggest challenge in the DeFi industry. According to PeckShield data, a total of 28 security incidents occurred in August, of which 8 occurred in the DeFi market.
Because of this, the market demand for decentralized insurance came into being. According to Nexus Mutual Tracker data, as of now, the effective coverage of decentralized insurance Nexus Mutual has exceeded US$200 million , which has increased by more than 20 times compared to two months ago.
In the past 24 hours or so, this data has risen by 130%. Today’s bZx security incident has clearly become an important catalyst for the “Great Leap Forward” growth of decentralized insurance.
Effective coverage of decentralized insurance Nexus Mutual, source: Nexus Mutual Tracker
It is conceivable that with the continuous development of the DeFi market, market segments such as decentralized insurance and oracles are expected to continue to grow.
Technical details and progress updates on the security vulnerabilities of the bZx protocol code
According to the vulnerability report released by bZx, the progress and technical details of the team after the incident are as follows:
- The team noticed an abnormal change in the total locked value of the agreement;
- Identify abnormal behaviors related to the _internalTransferFrom() function on iToken;
- The team suspended the casting and destruction of iToken after determining the repair plan, but the borrowing and transactions were not affected;
- Deployed a new version of the iToken contract and reset the balance;
- The repaired code has been sent to Peckshield and Certik for review;
- Resume the casting and destruction of iToken.
In Ethereum ERC20 tokens, the TransferFrom() function (transfer function) is an execution operation that transfers a certain amount of tokens from one address to another address, that is, sending _value tokens from address _from to address _to.
In this repeated iToken accident, the attacker used the same _from and _to addresses to call the transfer function.
When the addresses of _from and _to are the same, it will cause _balancesFrom and _balancesTo to be equal.
The above problem causes the _balancesTo balance to be increased when the _balancesFrom balance is reduced, and _balancesFromNew and _balancesToNew are also saved, which will cause users to artificially increase their balance.
The repaired code will transfer the balancesTo balance after the balances[_from] balance is reduced, thus preventing users from artificially increasing their balances.