When Hackers Strike Twice

Just when you thought it was safe to go back in the blockchain waters, the Fulcrum DeFi protocol, brainchild of bZX, has faced another unfortunate hack—this time, to the tune of $8 million. After previously regrouping post-hack in February, the team found themselves grappling with code that could slip a banana peel under the feet of a seasoned developer.

A Misplaced Line of Code

According to bZX’s transparency report, the culprit was a pesky line of code that failed to stay in its lane. This line was responsible for the creation of “iTokens,” which represent user shares in the asset pool—a bit like a digital receipt for your contributions to the crumbling castle of finance that is DeFi.

How the Hack Happened

When users dared to transact with themselves using a specific function, the contract did a little dance that led to the multiplication of tokens. Here’s how it flaunted its moves: the protocol set up temporary variables, subtracted the transaction value, and forgot one crucial thing. If the sender and receiver were joined at the hip (or rather, the digital wallet), the code wasn’t designed to recognize the subtraction. Hence, hackers could create tokens like rabbits out of a hat.

Token Theft and the Great Escape

With these duplicated tokens in hand, the marauding hackers went shopping for all that sweet, sweet collateral, making off with a diverse portfolio that included:

• 219,199.66 LINK
• 4,502.70 Ether (ETH)
• 1,756,351.27 Tether (USDT)
• 1,412,048.48 USD Coin (USDC)
• 667,988.62 Dai (DAI)

All this treasure amounted to a staggering $8 million—enough to make even the most seasoned pirate jealous.

A Good Samaritan Returns the Stolen Loot

In a twist seemingly plucked from an Ocean’s 11 script, the hacker actually turned out to be benevolent! They returned the funds shortly after being tracked down. According to the bZX team, the perpetrator came forward, and just like that, the funds were back in the protocol’s hands. Talk about a plot twist!

The Aftermath: Learning and Adapting

In the wake of this incident, highlights of the bZX team’s next steps include implementing a more robust insurance fund. Past lessons learned turned into actionable items, like creating safety nets equipped to handle such “black swan” events. The insurance fund automatically draws 10% of the protocol’s revenue through interest rates, but even so, Fulcrum’s total value locked plummeted to just $6 million.

So, what’s the takeaway here? Building a secure DeFi protocol is no walk in the park, and even with multiple audits from respected firms and an enthusiastic bug bounty program, vulnerabilities can still lurk like a cheeky raccoon in a dumpster—ready to strike.