The Fulcrum DeFi protocol developed by bZX, which had recently relaunched after a series of hacks in February forced the team to regroup, was hacked once again to the tune of about $8 million.
According to the incident disclosure by bZX, the culprit is one line of code placed at the wrong location in the contract for its “iTokens,” the token representing a user’s share in the pool of supplied assets — essentially a tokenized deposit balance.
A fix was quickly deployed to prevent further occurrences. As Anton Bukov, chief technology officer at 1inch.exchange highlighted, the fix simply moved one line of code several positions below.
The bug duplicated tokens when a user sent a transaction to themselves through a particular function. Under the hood, the contract simply subtracts the value of the transaction from the sender’s and adds it to the receiver’s. The contract created temporary variables representing the initial balances of the sender and receiver, and used those to update them.
In the case when the receiver and the sender are the same, however, the subtraction occured after the initial balance variables were set. This meant that the subtraction had no effect, so the attackers could simply create new tokens at will.
The duplicated tokens were then redeemed for their underlying collateral, with the hackers now “owning” a much higher percentage of the pool that let them drain 219,199.66 LINK, 4,502.70 Ether (ETH), 1,756,351.27 Tether (USDT), 1,412,048.48 USD Coin (USDC) and 667,988.62 Dai (DAI) — a total of $8 million in value.
The bZX team told Cointelegraph that the hacker returned the money on Monday, saying, “The attacker was tracked and identified due to their on-chain activity, he came forward shortly after this and returned the funds stolen.”
Past experience led bZX to create an insurance fund to cover for these “black swan events,” and the stolen coins were thus debited on the fund, which receives 10% of the protocol’s revenue through interest rates. Nevertheless, the Fulcrum protocol was left with just $6 million in total value locked after the incident.
Repaying that debt may thus require a significant amount of time, and is predicated on the protocol achieving success despite suffering these bugs. The bZX team made a hard commitment to secure practices with multiple audits from Certik and PeckShield, as well as a reinvigorated bug bounty program.
That appears to have been insufficient, which highlights that creating a secure DeFi protocol is harder than it may seem.
Update, 16:30 UTC: The article was updated with additional developments in the story.