the b2x DeFi protocol got hacked again and the hackers managed to get away with crypto funds worth more than $8 million from the DeFi lending protocol as we read more in today’s crypto news.
In the latest blow to the decentralized finance community and leverage-based lending trading platform, b2x Defi protocol suffered a hack. The hack itself as much bigger than the first one as the attackers managed to drain $8 million worth of LINK and ETH cryptocurrencies. The DeFi lending protocol was attacked for the second time but this time the hackers stole $8 million by leveraging a duplication bug that enabled them to make away with stealing LINK, ETH but also USDT, USDC, and DAI coins. The b2x team member Anton Bukov shared a post on Twitter where he admitted that there was a faulty line of code in the smart contracts which led to hackers initiating a series of iToken duplicating transactions to steal ETH.
Our small investigation thread (with @semenov_roman_) on @bZxHQ “duplication incident”.https://t.co/en6LGTnW5z
— Anton Bukov | k06a.eth (@k06a) September 13, 2020
Digging deeper, the bZx official incident report showed that there was a loophole in the transfer form function which enables the transfer of ERC20 tokens from one protocol to another which was leveraged by the hackers. It was possible to call this function and create a transfer of iTokens allowing you to increase the balance artificially. The attackers invoked a transfer function with the same from and to address in their original function and they called an “internal transfer from” function with the same arguments making the lines of code faulty. This eventually resulted in balancesFrom_balancesTo being equal.
By doing this, the attackers were able to decrease the balance of_balancesFrom and increase the balance of_balancesTo according to the reports. The users were able to increase their balance artificially. B2x patched the code after the $8 million theft as the fix set the move of balances to being set after the deduction from balances preventing anyone from inflating the balance. The leading Defi lending protocol went ahead and fixed the patch after the code auditing firms gave the green light.
However, this year is not a good one for the platform. At the start of this year, a hacker dealt with two consecutive blows and stole about $ 1million in ETH. During the first attack, the hackers used different methods in both attacks as in the first one, they borrowed 10,000 ETH from dydx. Out of the 10,000 ETH, 5000 were used to collateralize a loan for 112 wBTC on Compound.