Less than two weeks after re-deploying on mainnet, bZx has been exploited for $8.1 million of LINK, ETH, and stablecoins. The incident caused the BZRX token to fall over 30%, as the value of the token secures protocol deficits.

How Many Times Is Too Many?

Earlier this year, the team behind bZx paused the protocol after two consecutive hacks caused a mass outflow of capital. Promising to come back stronger, bZx built a new iteration of the product over six months. The protocol was finally deployed again on Sept. 2.

It’s been less than two weeks, and bZx has been attacked once again.

This time, however, the loss is exceptionally higher than before. Given prevailing prices at the time of the hacks, bZx had been previously exploited for $330,000 and $640,000, respectively.

The latest hack saw $8.1 million of customer funds lost.

1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up.. pic.twitter.com/MdJqOH2IPu

— Marc Thalen (@MarcThalen) September 14, 2020

bZx’s iToken’s were deployed with a bug that allowed users to increase their balances artificially. The platform’s sustained losses were as follows:

• 219,199.66 LINK ($2.61 million)
• 4,502.70 ETH ($1.65 million)
• 1,756,351.27 USDT
• 1,412,048.48 USDC
• 667,988.62 DAI

The insurance fund will bear the liability for these losses. Since the BZRX token derives a portion of its value from the insurance fund, its price tanked 31% yesterday.

BZRX is down 74% since peaking on Aug. 31.

Even after writing new code, employing fresh audits, and coming back to mainnet, bZx cannot seem to catch a break – and neither can their investors.

So @bZxHQ admins updated their tokens to unverified implementation with a backdoor that allows them to burn funds of any user. Then after burning funds of some users involved in hack, they updated to a normal implementation with bugfix. https://t.co/9529Ao93ly

— Roman Semenov 🌪️ 👹 (@semenov_roman_) September 13, 2020

In a blog post dissecting the incident, bZx attributed the multiple hacks to the protocol being “the most powerful, fully functioned lending protocol in the space, and this means that there is a lot of code to cover.”

Smart contracts are challenging, but suffering three exploits in seven months is absurd.

The fate of bZx is now solely in the hands of the DeFi community. Whether users will return to the protocol remains to be seen.