Another new hole in the Gruyère bZx

In February 2020, the bZx platform experienced, in quick succession, two „attacks“ which are in fact ingenious exploitations of flash loans and price oracle manipulation. These loopholes made it possible to extract respectively $360,000 and $645,000 worth of ethers (ETH) from the bZx protocol.

Marc Thalen, chief engineer at, was among the first to point out this new flaw to the bZx teams.

„Last night [13 September] I found a weakness in BRZX. I noticed that a user was able to duplicate „iTokens“. There was over $20 million at stake. I informed the team and told them to stop the protocol and explained the exploit. »

Marc Thalen explains, with supporting evidence, that he himself has tested this flaw. He was thus able to transform 100 dollars of stable corners into 200 dollars! But the damage had already been done…

LINK, ETH, stable corners: an $8 million razzia The faulty code, which effectively allowed assets to be duplicated using bZx protocol iTokens, let an attacker get away with :

219,000 LINK, about 2.5 million dollars;
4,503 ethers (ETH) or $1.6 million;
1.7 million USDT;
1.4 million USDC;
668,000 DAI.

In a publication on their blog, the bZx teams do not explain how such a loophole was able to get through two audits.

„The protocol has been thoroughly audited by the major security companies Peckshield and Certik. »

This $8 million leakage of Bitcoin Machine represents 30% of the total value of locked assets (or „TVL“) in the bZx protocol. User assets would not be affected, however, as the lost sums would have been compensated by the bZx insurance fund (although one would not want to be in the place of the insurer!).

According to Anton Bukov, co-founder of exchange 1inch, it seems that the disaster could have been even greater. The attacker would indeed have accumulated 153.6 million iUSDT before starting to drain the USDT from the exchange pool. But the bZx teams would have destroyed 151.9 million iUSDT (by burn) when they saw this move. This explains the final leakage of „only“ 1.7 million USDT.

We may be on the verge of a bigger scandal for this DeFi protocol. All the cryptos in the protocol could potentially have been siphoned off. This implementation of a „backdoor“ in the smart contract, which temporarily allowed the bZx developers to destroy the iTokens, also risks causing a lot of chatter for its more centralised rather than decentralised side.