Decentralized finance (DeFi) lending protocol bZx has suffered a third exploit, and this time the attackers got over $8 million in cryptocurrency by duplicating assets.

The exploit, according to the bZx team, allowed the attackers to use flawed code to duplicate assets or increase their balance of interest-bearing tokens on bZx, dubbed iTokens. After noticing the exploit, bZx halted minting and burning of the tokens, and resumed it after a fix corrected the balances.

The bug, however, saw the attacker mint 2139,199.66 LINK, 4,500.7 ETH, 1.75 million USDT, 1.41 million USDC, and 667,988.8 DAI. In total, the attacker managed to get over $8 million with the attack. The firm’s insurance fund will be covering the losses, so no user funds were at risk.

In its report bZx details it was “heavily audited” by top security firms Peckshield and Certik. It added:

Unfortunately, audits are not silver bullets. Our protocol is the most powerful, fully functioned lending protocol in the space, and this means that there is a lot of code to cover.

Reacting to the incident Certik revealed that during the audits “several issues were identified and remediated,” and added the vulnerability was the result of a “gas optimization being applied on the common ERC balance transfer code whereby data was copied to memory and subsequently reused while having been altered in storage.” To the firm, “security is a journey” and its team is committed to collaborating with bZx further.

Peckshield reacted by pointing out its audits also uncovered “several issues” that were fixed. It added that one audited “cannot guarantee to find all potential issues.” Marc Thalen, the lead engineer at, found the exploit and claimed over $20 million were at risk.

In a tweet thread, Thalen detailed he informed the team about the exploit, and used it with a loan using 100 USDC that allowed him to retrieve iUSDC, which he sent to himself to practically duplicate the funds.

Per Thalen, if bZx did not pause the contract, the attacker would have likely been able to get all $20 million. One of the protocol’s founders reportedly said an independent security panel recommended a $12,500 bounty for his contribution, although the platform’s program mentions a reward up to $350,000 for a critical vulnerability.

It’s worth noting that earlier this year bZx was exploited using flash loans that saw attackers make nearly $1 million in ETH over the course of two attacks. Flash loans are loans taken and repaid in a single transaction.

Featured image via Pixabay.