The BZX Fulcrum DeFi protocol, which was recently launched after a series of hacks in February that forced the team to regroup, has again been compromised for around $ 8 million.
According to the bZX crash report, the culprit is a line of code posted on the wrong side of the “iTokens” contract, a token representing a user’s share of a pool of assets – essentially the balance of a token deposit.
The solution was posted quickly so that it does not happen again. As explained by Anton Bukov, CTO of 1inch.exchange, simply moved a line of code to several features listed below.
The error echoes tokens when the user sends a transaction to himself through a specific job. Under the hood, the contract only deducts the cost of the transaction from the sender and adds it to the recipient. The nodes create temporary variables that represent the original sender and recipient balance, and use them to update them.
In the case of the same recipient and sender, the deduction occurred after the original balance variables were assigned. This means that the subtraction has no effect, so attackers can simply create new tokens of their choice.
The duplicate tokens were then exchanged based on their underlying guarantees, and now the hackers “own” a much higher percentage of the group, which allowed them to clear 219199.66 LINK, 4502.70 Ether (ETH) and 1756351.27 Tether (USDT )), $ 1412,048.48 in coins (USDC) and 667988.62 DAI (DAI) – for a total amount of USD 8 million.
The BZX team told Cointelegraph that the hacker returned the money on Monday and said: “The attacker was discovered and identified due to his online activity. Shortly afterwards, he went ahead and returned the stolen money. ”
Previous experience led bZX to set up an insurance fund to cover Black Swan incidents, so the stolen coins were deducted from the fund, which receives 10% of the protocol’s interest income. However, the Fulcrum protocol was disabled for a total of $ 6 million only after the accident.
Therefore, it can take considerable time to pay off this debt, and this depends on the success of the protocol, despite the presence of these errors. The BZX team has a strict commitment to security through several revisions of Certik and PeckShield, and a renewed bug bounty program.
This was not enough to indicate that it is more difficult to build a secure DeFi protocol than it may seem.