As per the details revealed by bZX, the hacking incident took place due to a line of code place in the wrong place in the smart contract for “iTokens,” which reflect a user’s share in the stock of assets supplied, basically a deposit balance in tokenized form.
The bug was removed quickly to avoid further mishaps. Anton Bukov, CTO at 1inch.exchange underlined that the bug was removed by simply shifting a line of code below. The bug replicated tokens when a user initiated a transaction with themselves as the receiver.
Basically, the contract deducts the transaction value from the sender holdings and adds it to the receiver’s holdings. In this process, the contract established temporary variables reflecting the original balances of the receiver and sender, and later on used it to update the final holdings.
In case, the receiver and sender are identical, the deduction happened after the original balance variables were established. This implies that the deduction had no impact, so the hackers could easily add new tokens as per their wish.
Our small investigation thread (with @semenov_roman_) on @bZxHQ "duplication incident".https://t.co/en6LGTnW5z
— Anton Bukov | k06a.eth (@k06a) September 13, 2020
The replicated tokens were exchanged with the underlying asset, leaving the hackers with a higher percentage of the crypto assets. The hackers used this vulnerability to swindle 4,502.70 Ether (ETH), 219,199.66 LINK, 667,988.62 Dai (DAI), 1,756,351.27 Tether (USDT), 1,412,048.48 and USD Coin (USDC), overall valued at $8 million.
Earlier hacking incident paved way for the creation of an insurance fund by bZX to take care of such “black swan events.” In return for the coin held by the fund, 10% interest is paid using the revenue generated by the covenant. However, the Fulcrum covenant had only $6 million worth tokens after the hacking incident.
Therefore, settling that amount could take considerable span of time and will have implications on the protocol’s success. The bZX team is devoted to follow credible safety practices including numerous audits by PeckShield and Certik, in addition to revitalized bug bounty scheme. That seems to be not adequate, underlining that developing a safe DeFi covenant is tougher than it looks.