It’s definitely not the best week for decentralized finance (DeFi) protocols, as BXH announced on Saturday that it suffered a massive exploit on Binance Smart Chain (BSC), just one day after Cream Finance said it suffered an US$130 million hack.
DeFi trading platform BXH said in multiple tweets that it was being attacked on BSC, resulting in the theft of about US$130 million. It said that assets on other chains are safe and not affected, and it has locked BXH contracts on OEC and HECO chains for asset security reasons.
While BXH continues to work with BSC’s security team and a third-party security partner to follow up and trace the incident, it is urging the exploiters to return the stolen funds.
“To the exploiters again, please return the funds to the fund pool immediately and we will recognize your actions as white hat and offer bonus,” BXH said in a tweet, adding that it will offer a bonus of US$1 million to any white hat team that could help retrieve users’ assets.
In the wake of the exploit, BXH’s token plummeted from around $0.0826 on Saturday before the hack announcement to $0.0445 on Monday afternoon Asia time, according to data from CoinGecko.
The BXH exploit comes just one day after another DeFi platform Cream Finance announced that it suffered a flash-loan attack and lost about US$130 million worth of tokens.
Cream Finance published a post mortem today, confirming that it has patched the vulnerability and “only our Ethereum v1 markets were impacted.” Its partner Yearn Finance has successfully salvaged US$9.42 million and will return the funds to Cream, according to the post.
Cream said in the post mortem that it is working to repay lost funds, starting with a partial payment. “Details of this repayment plan will be announced in the coming days,” it said.
Meanwhile, Cream urged the attacker to reach out and return user funds, offering a bug bounty of 10% upon return of the funds.
Some other DeFi platforms have also seen major attacks. In August, another DeFi platform, Poly Network, suffered a US$600 million hack, though the hacker later returned the stolen assets. In the same month, Japanese crypto exchange Liquid suffered a loss of over US$90 million in an attack, which siphoned Bitcoin, Ethereum, Tron and XRP tokens from the exchange. Liquid obtained a US$120 million loan from fellow exchange FTX to cover losses.
Security experts are analyzing the spate of hacks for signs of vulnerability. Sun Huang, general manager and vice president for security development operations at XREX Inc., a Taipei-headquartered crypto-fiat exchange and trade technology platform, told Forkast.News that the Cream Finance attack was carried out via a typical price manipulation approach, and if there’s price oracle vulnerability when a contract is being priced, exploiters could take the chance to attack by borrowing a massive amount of funds through flash loans to boost up prices.
“We’re constantly seeing the same attack approach on various DeFi platforms, and these DeFi projects should regularly check if the price oracles used by its contracts are strict enough,” Huang said.
Huang added that from the perspective of an information security expert, he would recommend users to go with DeFi platforms that have secured reviews from at least two security firms, with regular checks for updates. “Some platforms would lure users with high annual percentage yields but they often lack security protection.”