The Fulcrum DeFi protocol developed by bZX, which had recently relaunched after a series of hacks in February forced the team to regroup, was hacked once again to the tune of about $8 million.
According to the incident disclosure by bZX, the culprit is one line of code placed at the wrong location in the contract for its “iTokens,” the token representing a user’s share in the pool of supplied assets — essentially a tokenized deposit balance.
A fix was quickly deployed to prevent further occurrences. As Anton Bukov, chief technology officer at 1inch.exchange highlighted, the fix simply moved one line of code several positions below.
The bug duplicated tokens when a user sent a transaction to themselves through a particular function. Under the hood, the contract simply subtracts the value of the transaction from the sender’s and adds it to the receiver’s. The contract created temporary variables representing the initial balances of the sender and receiver, and used