bZx, the DeFi platform taken for thousands of ETH on two separate occasions earlier in the year, has lost $8 million worth of tokens in an ‘iToken Duplication Incident’
User funds were never at risk after the smart contract error was spotted yesterday
Malicious actors could have created duplicate tokens and sent them to themselves
bZx, the DeFi platform that suffered two attacks within a week six months ago, has suffered another setback, this time being hit by an ‘iToken Duplication Incident’. The smart contract fault meant that, for a short while, there was the possibility for bad actors to create tokens and send them to themselves, allowing them to artificially increase their balances. However, the issue was dealt with swiftly and effectively by the team, with assurances that no user funds were ever at risk, although the team did incur an $8 million token loss.
⚠️ 📢 UPDATE:
1/ At 3:28 AM EST we began investigating a drop in the protocol TVL. By 6:18 AM EST we confirmed that a duplication incident had occurred with several of the iTokens.
— bZx (@bZxHQ) September 13, 2020
bZx Acts Quickly
The incident was first spotted yesterday when bZx exchange developers noticed a drop in the platform’s total value locked (TVL). The incident was quickly investigated and the culprit identified as an itoken duplication event, where some token creation events were duplicated, leading to the loss of a number of tokens:
The platform was temporarily paused but bZx was quick to assert that no user funds were at risk:
No funds are at risk. There is no need to close loans.
— bZx (@bZxHQ) September 13, 2020
$8 Million in Crypto Lost
The incident left the bZx fund with an $8 million deficit, an amount described as “surmountable” by the team, with funds now added by bZx to the insurance fund to bring it back to parity:
As we have demonstrated before, the system is capable of absorbing black swan events that would otherwise negatively impact lender assets. Thanks to a protocol design that anticipates and accounts for tail events, this incident is surmountable. The debt will be wiped clean and the protocol will move forward unimpeded.
The token duplication issue was unconnected to the losses incurred by bZx earlier in the year, which saw individuals working out how to game the various interconnected DeFi platforms to walk off with hundreds of thousands of dollars’ worth of ETH.