Markets
Share this article

DeFi Lender bZx Loses $8M in Third Attack This Year

An attacker found a way to mint unbacked iTokens that they could then redeem against other cryptos held in lending pools for DeFi lender bZx.

By Paddy Baker
Updated Sep 14, 2021, 9:55 a.m. Published Sep 14, 2020, 9:58 a.m.
(Shutterstock)
(Shutterstock)

Decentralized finance (DeFi) protocol bZx has fallen victim to yet another attack after a bug in its code allowed someone to mint tokens they redeemed for cryptocurrencies on the protocol.

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

  • Co-founder Kyle Kistner told CoinDesk the company noticed something was wrong on Sunday when a single LINK withdrawal led to a $2.6 million drop in the protocol's total value locked (TVL).
  • The attack basically centered around the protocol's interest-earning iToken that users receive and redeem for crypto deposited into lending pools.
  • Kistner said the attacker exploited a bug that tricked bZx into minting unbacked iTokens subsequently exchanged for cryptocurrencies held in the pools.
  • Per an incident report Sunday, the attacker managed to steal just under 220,000 LINK tokens, 4,507 ETH, 1.76 million USDT, 1.4 million USDC and 670,000 DAI.
  • At current spot prices, this works out as a loss of just over $8 million.
  • That's much more than the $630,000 and $350,000 hacks the protocol suffered in February, which both manipulated oracle price feeds in order to pay back bZx loans for far less than the actual amount.
  • bZx paused the protocol in the aftermath of Sunday's attack so the bug could be patched, and resumed operations hours later.
  • Kistner said the decision was taken in consultation with security experts, who had not instructed the company to shut down for any longer.
  • He added the $8 million lost had already been debited by the protocol's insurance fund and will be paid out once the bZx community had ratified it.
  • The bug managed to remain undetected in two extensive code audits from cybersecurity firms Certik and Peckshield.
  • Kistner declined to comment on the identity of the hacker.

See also: DeFi Project dForce Refunds All Affected Users After $25M Hack

HacksDeFibZxCoinFlash

Mais para você

Protocol Research: GoPlus Security

Por CoinDesk Research
14 de nov. de 2025
Commissioned byGoPlus
GP Basic Image

O que saber:

  • As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
  • GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
  • Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
View Full Report

Mais para você

Proposed ‘AfterDark’ Bitcoin ETF Would Skip U.S. Trading Hours

Por Helene Braun|Editado por Stephen Alpher
há 1 hora
Bitcoin and ether sink to multi-month lows (Getty Images/Unsplash+)

The fund would hold bitcoin only overnight, betting on data showing bitcon gains mostly occur outside regular market hours.

O que saber:

  • Nicholas Financial has filed with the SEC to launch a bitcoin ETF that holds BTC only during overnight hours.
  • The “AfterDark” ETF buys bitcoin after U.S. stocks close for the day and then sells bitcoin and shifts into Treasuries during the American session.
  • Data shows bitcoin tending to perform better when traditional U.S. markets are closed.
Leia a história completa