The DeFi scourge continues – $55M stolen from bZx, again
Source: StunningArt
- bZx has once again been exploited and $55 million stolen, the third such exploit on the platform in the past two years.
- One of the developers reportedly received malware in an email and had his computer compromised, leading to the cleanout of Polygon and BSC deployments.
Hacks in the cryptocurrency world are not new, evolving with each new development. However, the decentralized finance (DeFi) world seems to be attracting attackers in their hordes. bZx is the latest in a long line of victims, with the DeFi protocol losing $55 million in a Friday attack. The attackers targeted one of the team members, sending him malware embedded in an email attachment according to a preliminary post mortem.
As bZx revealed on Twitter, the attacker had gained access to the private keys controlling the Binance Smart Chain and Polygon deployments.
An hour ago it appears that the private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds. The Ethereum deployment is under DAO control and not impacted. We will provide further updates soon.
— bZx – Fulcrum & Torque (on ETH/BSC/Polygon) (@bZxHQ) November 5, 2021
In its post mortem, bZx claimed that one of its developers had his wallet’s private keys taken in a phishing attack. The attackers sent him a phishing email to his personal computer containing “malicious macro in a Word document that was disguised as a legitimate email attachment, which then ran a script on his Personal Computer. This led to his personal mnemonic wallet phrase being compromised.”
This attack gave the hackers access to the content of the developer’s wallet and consequently, the private keys to the BSC and Polygon deployment of bZx protocol.
“After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval,” the project said.
The attack affected lenders, borrowers and farmers with funds on BSC and Polygon as well as those who had given unlimited approvals to those contracts. The attacker also removed funds from the BSC and Polygon implementation of the protocol
bZx stressed that its smart contracts themselves were not compromised. “The deployment on Ethereum, its governance, and its DAO treasury are all unaffected by this incident,” it added.
The project’s DAO treasury has funds significantly in excess of the impact of the incident, bZx said.
As a precaution we have temporarily disabled the UI on BSC and Polygon while we investigate events from earlier today. The Ethereum App is unaffected and continuing to function normally. We will continue to provide ongoing updates and we will be releasing a post mortem shortly.
— bZx – Fulcrum & Torque (on ETH/BSC/Polygon) (@bZxHQ) November 5, 2021
One too many
According to Slow Mist, a blockchain security firm, over $55 million was stolen, although the bZx team told The Block that this figure has yet to be confirmed. The funds are stored in six addresses with the highest holding $18.4 million and the lowest holding $697. Other wallets hold $6 million, $13.8 million, $15.5 million, $1.1 million and $201,255.
This isn’t the first time that bZx is falling victim to an exploit. Last year, it was attacked twice. In February, the attackers made off with $366,000 worth of ETH in one of the first few instances of flash loan attacks. In September, the protocol was attacked again, this time losing $8 million, which at the time was 30 percent of the funds it held.