Kyle Kistner – Idelto

Defi Platform Bzx Recovers Stolen $8.1 Million From Hacker

Decentalized finance (defi) protocol Bzx has recovered the $8.1 million it lost to a hacker a few days ago. The company claims it was able to track down the cyber thief, whom it refused to name for legal reasons, through their on-chain activity. Cornered, the attacker returned the loot.

“All funds have been recovered from the attacker. We are restoring the system,” said Kyle Kistner, co-founder of Bzx, in a statement released on September 15. “The funds are now in the team wallet and being used to restore the lending pools.”

On September 13, a faulty code in Bzx smart contracts allowed the hacker to mint 219,200 LINK tokens (valued at $2.6 million); 4,503 ETH ($1.65 million); 1,756,351 USDT ($1.76 million); 1,412,048 USDC ($1.4 million) and 667,989 DAI (worth $681,000) – all totaling $8.1 million.

Marc Thalen, the Bitcoin.com lead engineer who discovered the bug, has finally been paid a bounty of $45,000. Initially, Bzx did not want to pay out that much amount of money to Thalen, offering him just $12,500 as bounty because “Marc had only reported the issue when the attack had mostly concluded.”

In a thread on Twitter, Thalen complained: “Bzx just mentioned on a call it doesn’t feel like it’s worth more than 12.5k as their ‘independent’ panel decided to and they feel like sticking to it. They are not willing to disclose [the] identities of the panel. [I’m] really disappointed in Bzx.”

However, that figure severely undermined the protocol’s own bug bounty policy for high-level discoveries, which can be paid up to $350,000. Bzx later reconsidered its position following a massive social media backlash and paid Thalen a “reasonable” $45,000.

Peckshield, one of the two audit firms that failed to identify the defective code that led to the theft of the $8.1 million crypto, said in a letter to the Bzx community that its initial audit identified 16 security issues that were fixed – but that is never enough.

“Bzx and Peckshield are developing a plan to re-examine the protocol and set up real-time monitoring on key blockchain data indicators,” it wrote. The measure is expected to enhance security on the platform.

What do you think about Bzx recovering the $8.1 million stolen crypto? Let us know in the comments section below.

The post Defi Platform Bzx Recovers Stolen $8.1 Million From Hacker appeared first on Bitcoin News.

So called decentralized finance (defi) lending platform Bzx on Sunday lost $8.1 million in a new hacking attack, the third this year, caused by a flawed code in its smart contracts.

The bug allowed the hacker to mint 219,200 LINK tokens (valued at $2.6 million); 4,503 ETH ($1.65 million); 1,756,351 USDT ($1.76 million); 1,412,048 USDC ($1.4 million) and 667,989 DAI (worth $681,000).

Marc Thalen, lead engineer at Bitcoin.com, first discovered the vulnerability in the smart contracts and reported it to Bzx, warning $20 million was at risk.

In a statement, Bzx co-founder Kyle Kistner said that the defective code permitted an attacker to duplicate assets or even increase the balance of the protocol’s interest-bearing token called iTokens.

Bzx noticed the security breach some hours later and immediately halted minting and burning of iTokens. Trading resumed after a fix that corrected the balances and duplications.

Kistner detailed that investor funds faced no risk as they were promptly compensated. He said:

No funds are at risk. Due to a token duplication incident, the protocol insurance fund has transiently accrued a debt. The insurance fund is backstopped by both the token treasury in addition to protocol cash flows.

Thalen exploited the faulty code himself, generating a loan of 100 USDC. “From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD,” he tweeted.

Two audit firms, Peckshield and Certik, failed to pick up the flawed smart contracts code. Peckshield responded, saying: “One audit cannot guarantee to find all potential issues, but with continuous work from developers and auditors, we are getting ever closer to the goal of minimizing security risks.”

This is the third time that Bzx has been attacked in 2020. Two separate attacks in February cost the protocol just under $1 million. Founded in 2017, Bzx is a decentralized protocol built on the Ethereum blockchain for lending and trading with margin and leverage.

What do you think about the recurring hacks at Bzx? Let us know in the comments section below.

The post Defi Protocol Bzx Loses $8.1 Million in Third Hack This Year appeared first on Bitcoin News.