/biz/ - Business & Finance

FUNDS ARE SAFU

>third hack in 1 year
>THE REAL lend/aave they sad

I was about to buy that shitcoin last week but then I saw that terrible shit logo and turned 360 degrees and walked away

>>22462985
but the logo is turning 270 degrees

>>22462823
I'm so happy I doubles my money and got out of this thing.

>they read the recipient's balance before applying the change to the sender's balance
kek

Can anyone familiar with Solidity explain why moving those two terms without changing anything leads to the exploit?

I thought it was audited multiple times? Kek. Should I sell?

>>22463116
im noob but...
if the array index variables match, youre able to transfer to yourself even if you have 0 or less eth

e.g. say some user with id 400 has 2 eth

_balancesFrom = balances[400]
_balancesTo = balances[400]

the code is getting the balances for both users first (aka the same user) then subtracting the eth WITHOUT recalculating the now corrected balance ready for the send.

im phone posting so could explain better but essentially the .sub tracted value is being set to the balance, however the unsubtracted value is being set back to the balance during the .add

>>22462823
Total
Value
Lost

>>22462985
>turned 360 degrees
>walked away

absolute state of US education

>>22463838
that's been a meme for 14 years newfag

>>22463838
are you absolutely new to the internet, zoomer?

>>22462985
>turned 360 degrees and walked away

>>22463527
I still don't get it, but thanks for the (you), anon. Don't the calculations still get carried out in the same code block? I don't see where _from and _to are being compared.

>>22463944
yeah i fucked up the explanation

the users balance is being deducted properly during the From aka .sub section, however in the To aka .add section, the users balance is being changed back to what it originally was PLUS the transfer amount.

so if a user has 10 eth and transfers 2 eth to himself, he ends up with 12 eth, instead of just staying at 10. this is because the second operation is using the original balance amount for its calculation instead of the updated deducted value (which would be a balance of 8 in this case)

the code essentially does this:
balance = 10
balance = 8 (-2)
balance = 10
balance = 12 (+2)

>>22463944
so i was looking at this code and i'm pretty amateur with solidity and coding in general but heres my explanation...
example, user id 400, he has 1 ETH

on the left:
balancesFrom = balances[400] = 1 ETH
balancesTo = balances[400] = 1 ETH

then balancesfromnew executes using balancesFrom, subtracing 1 eth from balancesFrom to 0 eth final

then balancestonew executes, using balancesto, adding 1 eth to balances[_to] which results in 2 eth total

on the right, balances[_from] gets subtracted from first, and in the case that balances[_from] and balances[_to] are the exact same thing, then balances[_to] gets updated at this moment, too.

>>22463944
also the code on the right in your pic is the fixed code, the left is the exploitable shit

>>22464207
holy fuck

and this code was supposedly audited?

oof bzrx took a nasty hit on this hack didn't they? hope you anons are at stop losses

>>22464275
How to set a stop loss on uniswap

>>22464269
its bad. i can see how it was overlooked though, because it only works when you transfer to yourself, which is something people wouldnt really think about being a normal action.

>>22464207
>>22464244
>>22464246
Ah, I get it, since the two balance addresses are the same, the _to overwrites the _from. Thanks, fellas.

>>22464316
So all that shite on the website about how they adopted TDD and testing after the last hack, was bullshit. Because this is the exact kind of edge case that TDD should catch.

i will say its pretty fucking hilarious how bzrx touted being the "most audited DeFi protocol" and then got fucked by a smart contract vulnerability within weeks of releasing

>>22464207
I don't see an option to transfer on their site.

>>22464435
yeah, and they're already using their insurance fund lol

>>22464532
you need to interact with the Eth contract directly.

>>22464475
It's less surprising if all the audits are caused by repeated hacks. But it's a nice spin on their own mess-ups. Kek.

>>22463507
now you know audits are a scam

>>22464568
They keep talking about an insurance fund, is this really going to fucking happen. Because how could they have an insurance fund after 10 days

AHAHAHAHAHAHAHAHAHA

GOOD THING I SOLD AT 90 CENTS

>>22464619
they are going to dump bzrx to fund the losses of course.

everyone who loses money on this fully deserves it. Only a complete idiot invests in something that was hacked in such a dumb way before.

220k link missing to apparently

>>22463838
>>22463943
Nice bait

>>22464707
4.7k ETH
220k LINK

lmao

so glad i got out holy shit.

i sold. i could made over 100 grand in profit but i held through the crash a few days ago and now there is another fucking hack. unbelievable

>>22464643
I should be good right then? because I dont hold any bzrx but I was lending

>>22464784
I don't know, is there even enough demand for bzrx to fill the 4.7k eth loss?

This happened 2 day ago too. They've been lying, this is close to fraud at this point

>>22464707
fuck thank god i was planning to lend it to them

>>22464853
How do I learn how to drain pools? it doesn't seem that hard if there's shitty abusable code/features involved. Btw how come the original AMPL didn't get its geyser drained?

>>22464207
I know almost nothing about programming and yet that seems like the most basic shit ever.

How could they make such a simple mistake, and even worse, how could the auditors not catch it?

I'm actually more worried about the quality of these audits than this one coin...

>>22464895
>Women in programming

>>22464766
Why hasn't this shitty team said anything about the 220k link? I'm a Link whale and four days ago put 100k, yes I'm fucking serious (sadly), into this shit project because I was an IDIOT who bought into "we're the most audited protocol in DeFi hype". Am I fucked? How is their insurance going to cover $2m in lost Link when this dumpster fire will be heading to $0.

>>22465034
It's not
I feel sorry for you guys who will lose their Link from thhis

>>22465034
well atleast u still have ilink

>>22465034

yes you are, and so am I

>22465034
youre going to get vbzrx tokens mate, gutted for you.

>>22465034
nah you're good link fren. market always forgets

>>224651

>>22465034

Jesus christ man yo put $1.2 million in link in fulcrum? Was that your whole stack did you get blinded by the APR return?

I just looked at the stats page and there is 24 ilink left.

Basically I think they will try and sell of vbzrx to pay you back but those tokens are now pretty much worthless.

Basically I think you are about to take a 97% loss sorry mate hope that wanst everything you had jesus man.

Sorry, I'm a newfag and I'm trying to get out of this shitshow by selling it off through kyberswap, but it looks like the transaction on ethescan is pending and will take more than an hour. How do I cancel the transaction?

>>22465353
Send the same transaction, or different one just sending 0 eth to yourself, with the same nonce. You need to enable nonces in advanced settings of Metamask. Metamask also has an "attempt cancel" function that does the same thing.

ffs the incompetence in the defi space is next level. bzrx is now yam tier, except yam at least wasn't exploited 3x

>>22465034
:'^(

>>22465340

Thankfully I still have 700k remaining. I'll stick to usng AAVE and yearn.finance going forward. I was lured in by the attractive lending apy and the "We're so secure" bullshit marketing. I got what I deserve for being a dumbass. Lesson learned.

>>22465034
You can't be serious, why in the hell would you risk that much link in a pajeet coded platform ... you only have one option left: take the bzx team to kleros court

>>22465548
>you only have one option left: take the bzx team to kleros court

What's the current APY on USDC? I'm on mobile and have had a 5x ETH short going. I guess I'll probably lose everything by the time I get home. That was half my stack.

>>22465539

Just know that yearn is also barely audited unless you purchase insurance through nexus but they are maxed out. Dont do it bro the risks are to high right now to lend in my opinion for the returns its not worth it.

IF Yearn gets haccked ur gonna get fucked out of everything.

>>22465609
there are 73 usdc left in the contract, I'm sorry anon.
It's possible they sell bzrx to fill some losses.

>>22462985
>turned 360 degrees and walked away
So you didn't walk away

>>22465609

APY is i think 80% good luck bro hurry back if you can but i think they froze the withdrawals looooool they still arent calling it a hack what a shitshow.

I ape went all in a week ago and happened to be up so I ran to the pc and snap withdrew all my lending tokens. Could have lost it all. Lesson learned no more lending for me fuck too much risk

>>22465734
compound is safe, I don't understand why people think in categories like that. It's just one dapp made by retards

>>22465705
I have 400k untouched in a hardware wallet, 60k LINK in the yaLink vault which I'll be taking out tomorrow, and 250k Link in AAVE as collateral on a 500k usdt loan that was put into the Curve ypool. That yCRV in the yCRV vault on yearn is making me $4-500 per day. Going to leave that in there and take the risk like a degen.

>>22465712

Holy shit i didnt realize just saw that so the 593k usdc locked up is the borrower side right? So basically if you lent out usdc you are fucked woowwwwww.

LIke a few hours ago there was 900k usdc in total avaliable pool i guess there was a "bank" run on usdc tokens as lenders were panic withdrawing thank god i got out jesus christ.

There is no insurance fund team is lying vbzrx is fucking worthless there is no insurance if you havent withdrawn your fucked.

you now remember the music video they made for the relaunch

>>22465778

Fuck man how much LINK did you buy presale? Wow congrats even though you took a loss you got deep pockets.

Question for you im poorfag with 160k usdc is it worth it for me to yolo into curve pool or no?

>>22465705
>Just know that yearn is also barely audited
wrong lesson
what you should learn from this is:
- audits are borderline useless
- trust things made by smart people (like Andre) even if they are unaudited over things made by idiots (bzrx) even if they are audited several times

>>22465412

Thank you.

>>22462823
Little bitch acap strikes again.

>>22465787
>There is no insurance fund team is lying vbzrx is fucking worthless there is no insurance if you havent withdrawn your fucked
Yes, my 5k usdc lent out is not withdrawable. Fucking piece of shit pajeet team

>>22465812

I actually bought ETH early, and then after some dumb losses from trading after ETH seemed like it was grabbing around $300 for a while, I discovered Link from Reddit shortly after it started trading on Ether Delta. Pretty much all my Link was bought on there and on Binance within the first week or two of Link trading going live. Been holding for the last three years, but thanks to ChainlinkGod, yearn finance got me interested in actually doing something with my Link since I have the capital. Believe or not I come from a lower middle class family, but threw all $20k of my savings I had after working as a teacher in Asia into Eth and it's changed my life. I can't say what you should or shouldn't do, but I just trust Andre. He was the first to put his money into the protocol and will be the last to take it out. He also has his friends and family's money in yearn, so perhaps not in the vaults. Because I perceive my liquidation risk on Aave of being very low because I'm borrowing less than a quarter of my collateral value, the main risks are with security flaws in curve or yearn, but considering how much value is locked in each, the fact that they haven't been exploited yet with presumably many malicious eyes focused on them is a positive sign. Obviously there's still a high degree of risk.

>>22466064
Holy shit, it's too late for me to make it if whales are already making $400 a day just by sitting on their stacks. Are you looking at any other coins?

>>22466028
right again

>>22466064
>I actually bought ETH early, and then after some dumb losses from trading after ETH seemed like it was grabbing around $300 for a while, I discovered Link from Reddit shortly after it started trading on Ether Delta. Pretty much all my Link was bought on there and on Binance within the first week or two of Link trading going live. Been holding for the last three years, but thanks to ChainlinkGod, yearn finance got me interested in actually doing something with my Link since I have the capital. Believe or not I come from a lower middle class family, but threw all $20k of my savings I had after working as a teacher in Asia into Eth and it's changed my life. I can't say what you should or shouldn't do, but I just trust Andre. He was the first to put his money into the protocol and will be the last to take it out. He also has his friends and family's money in yearn, so perhaps not in the vaults. Because I perceive my liquidation risk on Aave of being very low because I'm borrowing less than a quarter of my collateral value, the main risks are with security flaws in curve or yearn, but considering how much value is locked in each, the fact that they haven't been exploited yet with presumably many malicious eyes focused on them is a positive sign. Obviously there's still a high degree of risk.

Thanks bro and congrats i also had like 20k from propping poker games lol around the time you were teaching in Asia but i bought some eth at $20 and panic sold when the DAO happened and didnt sell the top in 2017 so got fukked hard again just trying to make it.

I will probably loan out some but like you said there is still some risk with yearn but things looking good so far with how much value is locked up.

My only concern is in a bear market if they keep dumping crv wont the aprs go way down for the y pools??

>>22466038
>I actually bought ETH early, and then after some dumb losses from trading after ETH seemed like it was grabbing around $300 for a while, I discovered Link from Reddit shortly after it started trading on Ether Delta. Pretty much all my Link was bought on there and on Binance within the first week or two of Link trading going live. Been holding for the last three years, but thanks to ChainlinkGod, yearn finance got me interested in actually doing something with my Link since I have the capital. Believe or not I come from a lower middle class family, but threw all $20k of my savings I had after working as a teacher in Asia into Eth and it's changed my life. I can't say what you should or shouldn't do, but I just trust Andre. He was the first to put his money into the protocol and will be the last to take it out. He also has his friends and family's money in yearn, so perhaps not in the vaults. Because I perceive my liquidation risk on Aave of being very low because I'm borrowing less than a quarter of my collateral value, the main risks are with security flaws in curve or yearn, but considering how much value is locked in each, the fact that they haven't been exploited yet with presumably many malicious eyes focused on them is a positive sign. Obviously there's still a high degree of risk.

Sorry to hear that man the team is working on a statement loool. They will give you pajeet vbzrx tokens when the bzx token is already crashed another 50% looooooool.

>the next AAVE they called it

>>22464304

use a question mark when you ask a question ffs.

>>22466452
he lost so much he can't afford question marks anymore

>>22462985
Fucking burgers mate

>>22462823
The irony is, there's not yet a secure decentralised platform on which to short bzrx with leverage.

>>22465539
>Thankfully I still have 700k remaining
lmao fuck you dude that's 10x my stack

>>22466539

Fuk that would be epic i would short this shit to 5 cents kek.

>>22462823
HAHAHAHHAAHAHAHAHA

>>22463893
been here for 3 years and never heard it

>>22465034
every loss is covered. everyone gets their money back

>>22464643
>hacked in such a dumb way before
it was an oracle exploit... am i missing something? everyone acts like they knew this shit AFTER it has happened. fuck off

>>22466964
It's the biz way. People act like this was expected, meanwhile degenerates send millions of dollars to unaudited contracts and nobody bats an eye. With that said, hard to deny how bad this looks for the project, I don't think they could've fucked up their launch more even if they tried.

>>22467019
it's over for them. it might recover a bit from here. but trust is lost.

>>22462823
Wtf it is bouncing back. Do I buy back in?

>>22467079
Are you a newfag? They'll be back and I bet they can become one of the more successful platforms. Short term is looking pretty bleak though

>>22467079
Gotta wait for nufags during the next bull run to use this

>>22467109
Probably a dead cat bounce

>>22464767
you're actually retarded

>>22465034
holy shit

that is a sad story fren

i hope it works out and you get everything back

>>22467115
this. maybe you retards shouldnt have dumped anything in until its survived a while. their code is 99% there. no little homo hack is going to end them. what they should have done is published the code then prevented it going live for 3 months or so while offering a 1m bug bounty. game theory would have solved the rest.

welcome to the wild west.

>>22467115
we all know this project is a fucking joke and will remind everyone at every possible chance

you nigger faggot scammers lost

>>22465539
please simply hold and do not lend. please anon do it for your children and your descendants

>>22467221
Why?

>>22465789
that line about battle scars

>>22462985
>>22463838
>>22466536
THIS ISN'T A BURGER

>>22465778
Why exit the yaLink vault?

>>22467246
after warning people multiple times about this incompetent team that still owes me money from their previous hacks, the only thing I got in response is bzrx niggers talking about most audited project and huuurrr durrrr midwit thinks they will be hacked for a THIRD time

hope you all dumped
>he just wants in cheaper
no one is going to touch this shit ever again

>>22467343

Faggots in the telegram are saying this is the bottom little do they know the bottom for bzrx is zero.

>>22462823
I BOUGHT 10K OF THIS SHITCOIN YESTERDAY I HATE MY SHITTY LUCK

>>22467343
Everyone says shit like that all the time about every single coin. If nobody bought anything that was fudded, crypto would no longer exist.

It looks like my margin trade is still going but the APY is up to fucking 120%.

Should I withdraw? It feels risky and the interest is insane but ETH is gonna dump so hard next week.

>>22467392
every single platform that I used doesn't owe me money for their incompetence

in fact only 1 does so no this isn't like every single other coin, keep coping with fact that they fucked up yet again

It's about time to hand out rangebans for promoting ANY crypto related shill. Samson option for /biz/

>>22467421
Get out. If there's a question about the pooled assets, you finna get dumped on. APY makes 100% of the farming profit, but is only a fraction of the risk assesment for the investment.

>>22467454
Did they say they were going to give you money back?

>>22465034
I had 10k in there. Nearly shat myself this morning when the box was empty.. then magically, it showed up again.. earning at 54%apr. Fuck me bros, that was close.

>>22467548
Most of those affected by the old hack have already been paid out.
Those who have not been refunded have not informed themselves about it.

>>22467602

Can you withdraw?? IF you cant that apr is worthless.

>>22467465
Found the kike

>>22467608
>>22467602
you cant fucking withdraw

>>22467343
nobody owes you shit. the insurance fund is for retards who cant read contracts they deposit into. youre literally an insurancefund baby kek.

>>22467501
Just got out. No hassle. Maybe it freed up some USD for someone else to withdraw.

>>22467612
>insufficient liquidity for unlend..
fuck

>>22466916
>been here for 3 years and never heard it
Because you've only been here for 3 years, newfriend.

>>22467685
yeah. we're fucked.

funds have been stolen

>>22467611
>Kike calling others kike
Classic. I'm going to make some calls tomorrow. I believe in self regulation, but its time to set the wheels for the end if defi on the us and eu market into motion

>>22467685

So your stuck. Enjoy worthless vbzrx tokens lol if they "reimburse" you

>>22463893
this fckn lmao
never fails to get (you)s even in [current_year]

>>22467710
>>22467730
Live and learn I guess. That was 1/3 of my link. I will however keep hoping and coping until I can't anymore.

>>22467668
>>22467421
FUUUCKKK I'M OUT AND NOW ETH IS GOING STRAIGHT TO $200 TONIGHT

JUST

>>22467719

had a good chuckle at this post kek

official incident report is out:
https://bzx.network/blog/incident

>>22468077
Lucky sevens. Was just about to post this. I feel mildly hopeful.

>>22465034
do you have down syndrome

>>22466964
>everyone acts like they knew this shit AFTER it has happened
if I knew how bzx uses uniswap1 as an oracle I could tell you in an instant how to hack it. The first competent guy that looked at it hacked it.

https://bzx.network/blog/incident

New article on the attack, seems that insurance will cover all losses...

>>22468265
Funds are safu. Anyways what are the chances audit guy found out this issue and exploited it himself.

>>22468316
I too am coping immensely. But yeah.. often wondered why anyone in a 'bug bounty' wouldn't just hit that exploit themselves.

>>22468347
>>22468316
this ends auditing companies imo. code should be published public along with paid audits and bug bounties. game theory will force the first finder to claim it, instead of sitting on it in the hope of a bigger payday. force auditors to compete with the public.

So what's the verdict fellow Coperinos? Are they just buying time before slinking off to the Caymans for good? Or are funds safu and we'll get something back in a few days?

>>22468446
Safe from what I see, the team has been responsive at least, and I had 3.5k link in it too...

>>22468487
The signs are positive I'll admit.

>>22465778
why leave the yalink vault?

>>22468406

>muh game theory

Wow fuck this. I knew the team was a bit shit but getting exploited another time after all that "most audited" nonsense really takes the cake. Am presaler and held quite a bit of tokens, dumped after the twitter post. I'll be staying out of defi for a while.

Update;

Apparently Marc Zeller of Aave was the hacker and was set out to destroy BZX's reputation further. This is clear because some of the wallets involved in the hack had PNK.

>>22468525
yes game theory faggot

they should have released the contract with limits so anyone who finds the bug looking for a bigger payday risks getting cucked by someone willing to work for less. saving everyone money.

>219,199.66 LINK
>4,502.70 ETH
>1,756,351.27 USDT
>1,412,048.48 USDC
>667,988.62 DAI

HOLY SHIT A TOTAL OF $8 MILLION WAS DRAINED. ENJOY YOUR VBZRX TOKENS AS IT TAKES THE WHOLE 4 YEAR VESTING PERIOD TO RECOUP THIS LOSS

How the fuck are these guys going to recover

>>22468406

>>22468584
haha chill out in the discord unless you're going to share the evidence here as well

>>22468730
and this is how they fuck up. go live straight away and THEN offer bounties? lmao. some kid just walked away with 8m and youre supposed to entice him from that with 350k?.... good luck.

>>22468827
That was already there from quite some time ago
Obviously 350k legit bucks <<< 8 million hacked money

Should I buy BZRX right now? It seems that fear is maxed out right now

>>22468873
you cannot possibly be this stupid

>>22468960
Why's it stupid? People were saying the same thing when STA crashed to 2 cents. And they made out like bandits.

>>22468998
there's a difference in market fluctuations and crashes that happen due to actual failure.
one is psychology the other is logical decline in future value.

>>22468998
Yep. One guy made over $100k if I remember right. He is the reason the price dropped from 40c to 20c

>>22469073
Sure, but STA also crashed because of failure

>>22465034
You deserve it for giving someone else your link.

>>22469109
ok. but look at bzx chart after the previous crash and then decide if now is a good time or in a few months

>>22465034
What in the living fuck were you thinking to put $1.2m dollars into this???????? You knew they botched the launch already and no one was using their platform right? You just threw over a million dollars down the drain m8.

Went all in on this and I have nothing to blame but myself. Should have sold off on the first dip when btc was bleeding back in aug.

Going for the “safe” cryptos for now.

This one hurt.

>>22469491
Bought in around .30, watched it climb to 1.60, fall last week, rise back up to .70 and left work this afternoon to find it shit the bed completely. It might crab back to .60 before dying but I don't want the anxiety anymore

>>22469526
Yeah, the past few days I have been price checking this coin per hour. Stress the hell out of me. Well, live and learn I guess.

Hope anyone gets a better luck next time.

Shit like this is why crypto won’t ever be mass adopted

Well, either i'm fucked out of my 10k link, or I end up making a decent return at 53% rewards.
I'm so fucking numb right now.

Aave had a bug too in their app, a week ago, they even disabled all transactions.
Ppl should not make a big deal of it since the bzrx team patched the bug

>>22463838
>>22463943
>>22465720
Fuckin zoomer newfags

>>22469792
SHUT THE FUCK UP GOY WE HERE AT AAVE ARE FAR BETTER THAN OUR COMPETITOR NOW DUMP THEIR TOKEN AND GET IN WE ARE GOING TO THE MOON

>>22469792
I've been around since presale till now, totally lost trust in the team after this event
They have great ideas but execution-wise it's just... poor
Who will trust them with coins now

>>22470126
ETH too was expoited in the past. Its simply part of the process of developing

>>22470577
but it wasn't?

>>22470126
Presaler here too. I've finally exited all of my BZRX positions. I had some hope when their TVL was coming back up after their botched launch, but now I'm finally seeing that the incompetence of the team will be this project's downfall. I'm happy to take my 20x in $ and a lesson learned even though I could have earned a whole lot more like 60x if I didn't hold hoping that the staking rewards would actually amount to something reasonable. I'm just glad I somehow managed to unlend all my funds that were on Fulcrum. Back to breathing in that LINK hopium I guess.

>>22470839
Yes it was. https://www.investopedia.com/news/ethereum-smart-contracts-vulnerable-hacks-4-million-ether-risk/

>>22468584
i was wondering if other DeFi platforms weren't behind the first hack and then the botched rollout

this is a rough dump, seems like the only non .finance coin that got punished heavily after the last dump

>>22463116
If they just performed the operations in line without making a temp variable all this would have been avoided

>>22468584
desu even if this was true it doesn't matter. The protocol should not have had critical flaws. With that said, if it is him then so much for trying to grow the DeFi industry, he could've communicated with the team instead of fucking everyone over.

>>22465837
Even if Andre is a genius and his smart contracts are perfect (unlikely), he relies on many other smart contracts that he has not programmed to earn funds. If any of those have an exploit you are shit out of luck.

>>22471000
Godspeed anon. Happy to get out with profit at least.

>>22469491
i feel your pain. similar to you except i put 50% of my portfolio in

>>22469491
Sold off 250k at around 55cents. I hate myself for not selling the top.

https://twitter.com/MarcThalen/status/1305354469354303488?s=20

Got out with a 4x, but man does it hurt to know I had over a 10x at one point and didn't sell...

wait so this got hacked twice in the past and anons here still put their life savings into this?

for what reason?