The Fulcrum DeFi protocol developed by bZX, which was recently relaunched after a series of hacks in February that forced the team to regroup, has been hacked again with nearly $ 8 million.
According to incident information from bZX, the culprit is a line of code placed in the wrong place in the “iTokens” contract, a letter representing the user’s share of the range of assets delivered – essentially a token deposit balance.
The solution was quickly used to prevent further development. As noted by Anton Bukov, Technology Director at the 1-Inch Exchange, the line of code has moved slightly down.
The error is duplicating tokens when a user is sending a transaction to himself through a particular job. Under the hood, the contract simply subtracts the cost of the transaction from the sender’s amount and adds it to the recipient. Temporary variables are created in the contract that represent the original balances of sender and recipient, and are used to update them.
However, if the recipient and the sender are the same, the discount occurs after the original balance variables are set. This means that the subtraction has no effect, so attackers can simply create new codes of their choice.
The duplicate tokens were then recovered to ensure basic security, and now the hackers have a much higher share of the group, allowing them to scan 219,199.66 links, 4502.70 Ether (ETH), 1756,351.27 Pegs (USDT), 1,412,048, $ 48 in coins ( USDC) and 667988.62 Dai (DAI) – totaling $ 8 million.
Previous experience prompted bZX to set up an insurance fund to cover “black swan accidents”, thus stolen coins were deposited into the fund, which receives 10% of the protocol’s income as interest. However, Fulcrum’s protocol left him with only $ 6 million after the accident.
Hence, repaying this debt can take a long time and it depends on the protocol to succeed despite the fact that they are suffering. The BZX Team is committed to security through several versions of Certik and PeckShield, as well as our recently updated Bug Reward Program.
That was apparently not enough, highlighting that establishing a secure DeFi protocol is more difficult than it might sound.