BZRX / 4.7K ETH stolen funds

Total
Value
Lost

>turned 360 degrees
>walked away

absolute state of US education

that's been a meme for 14 years newfag

are you absolutely new to the internet, zoomer?

>turned 360 degrees and walked away

I still don't get it, but thanks for the (you), user. Don't the calculations still get carried out in the same code block? I don't see where _from and _to are being compared.

yeah i fucked up the explanation

the users balance is being deducted properly during the From aka .sub section, however in the To aka .add section, the users balance is being changed back to what it originally was PLUS the transfer amount.

so if a user has 10 eth and transfers 2 eth to himself, he ends up with 12 eth, instead of just staying at 10. this is because the second operation is using the original balance amount for its calculation instead of the updated deducted value (which would be a balance of 8 in this case)

the code essentially does this:
balance = 10
balance = 8 (-2)
balance = 10
balance = 12 (+2)

so i was looking at this code and i'm pretty amateur with solidity and coding in general but heres my explanation...
example, user id 400, he has 1 ETH

on the left:
balancesFrom = balances[400] = 1 ETH
balancesTo = balances[400] = 1 ETH

then balancesfromnew executes using balancesFrom, subtracing 1 eth from balancesFrom to 0 eth final

then balancestonew executes, using balancesto, adding 1 eth to balances[_to] which results in 2 eth total

on the right, balances[_from] gets subtracted from first, and in the case that balances[_from] and balances[_to] are the exact same thing, then balances[_to] gets updated at this moment, too.

also the code on the right in your pic is the fixed code, the left is the exploitable shit

holy fuck

and this code was supposedly audited?

oof bzrx took a nasty hit on this hack didn't they? hope you anons are at stop losses

How to set a stop loss on uniswap

its bad. i can see how it was overlooked though, because it only works when you transfer to yourself, which is something people wouldnt really think about being a normal action.

Ah, I get it, since the two balance addresses are the same, the _to overwrites the _from. Thanks, fellas.

So all that shite on the website about how they adopted TDD and testing after the last hack, was bullshit. Because this is the exact kind of edge case that TDD should catch.

i will say its pretty fucking hilarious how bzrx touted being the "most audited DeFi protocol" and then got fucked by a smart contract vulnerability within weeks of releasing

I don't see an option to transfer on their site.

yeah, and they're already using their insurance fund lol

you need to interact with the Eth contract directly.

It's less surprising if all the audits are caused by repeated hacks. But it's a nice spin on their own mess-ups. Kek.

now you know audits are a scam

They keep talking about an insurance fund, is this really going to fucking happen. Because how could they have an insurance fund after 10 days

AHAHAHAHAHAHAHAHAHA

GOOD THING I SOLD AT 90 CENTS

they are going to dump bzrx to fund the losses of course.

everyone who loses money on this fully deserves it. Only a complete idiot invests in something that was hacked in such a dumb way before.

220k link missing to apparently

Nice bait

4.7k ETH
220k LINK

lmao

so glad i got out holy shit.

i sold. i could made over 100 grand in profit but i held through the crash a few days ago and now there is another fucking hack. unbelievable

I should be good right then? because I dont hold any bzrx but I was lending

I don't know, is there even enough demand for bzrx to fill the 4.7k eth loss?