DeFi platform bZX sees new $8M hack from one misplaced line of code

The Fulcrum DeFi protocol developed by bZX, which had recently relaunched after a series of hacks in February forced the team to regroup, was hacked once again to the tune of about $8 million.

According to the incident disclosure by bZX, the culprit is one line of code placed at the wrong location in the contract for its "iTokens," the token representing a user's share in the pool of supplied assets - essentially a tokenized deposit balance.

Exchange highlighted, the fix simply moved one line of code several positions below.

The bug duplicated tokens when a user sent a transaction to themselves through a particular function.

Under the hood, the contract simply subtracts the value of the transaction from the sender's and adds it to the receiver's.

The contract created temporary variables representing the initial balances of the sender and receiver, and used those to update them.

Past experience led bZX to create an insurance fund to cover for these "Black swan events," and the stolen coins were thus debited on the fund, which receives 10% of the protocol's revenue through interest rates.

The Fulcrum protocol was left with just $6 million in total value locked after the incident.

The bZX team made a hard commitment to secure practices with multiple audits from Certik and PeckShield, as well as a reinvigorated bug bounty program.

That appears to have been insufficient, which highlights that creating a secure DeFi protocol is harder than it may seem.