DeFi protocol bZx falls victim to phishing attack, around $55 million lost
The decentralized finance sector is growing at a breakneck pace. Total value locked in DeFi, at press time stood at more than $250 billion. However, here’s the negative side to this ever-increasing ecosystem.
In the first four months of 2021, the DeFi sector lost about $240 million. These are just the publicly known cases; the real estimate of losses could be in billions of dollars.
DeFi protocol bZx, a widely-used protocol is currently trending in the news. Well, for the wrong reasons. This protocol built on Ethereum and Binance Smart Chain was hacked for at least $55 million. As reported in the series of tweets, bZx executives tweeted,
An hour ago it appears that the private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds. The Ethereum deployment is under DAO control and not impacted. We will provide further updates soon.— bZx – Fulcrum & Torque (on ETH/BSC/Polygon) (@bZxHQ) November 5, 2021
The deployment on Ethereum, its governance, and its DAO treasury were all unaffected as the private key to bZx’s Ethereum deployment was secured by a multi-party contract and governed through a DAO.
As estimated by the security firm Slow Mist, “0over 55 million dollars (were) stolen so far.”
Around 25% of the said amount was lost from the wallet. The remaining belonged to its users. “Additional information to follow, we are still investigating this incident,” the team claimed, adding,
“If you have approved any tokens to the bZx contracts on Polygon or BSC, please revoke your approvals ASAP.”
Moreover, it temporarily disabled the UI on BSC and Polygon. Whereas, the Ethereum App continued to function normally.
‘It was a phishing attack’
Following this unfortunate event, the team behind the hacked protocol was quick to publish some more information to keep its users up-to-date. The team shared that the incident today was NOT a protocol hack. It was a phishing attack on a bZx dev.
“A bZx developer had his personal wallet’s private keys taken in a phishing attack. The phishing attack was similar to one that affected another user recently named “mgnr.io”.
This attack granted the hacker access to the content of the bZx developers wallet, and also the private keys to the BSC and Polygon deployment of bZx Protocol. Needless to say, the hacker drained the BSC and Polygon protocol.
The incident today was NOT a protocol hack. It was a phishing attack on a bZx dev. bZx on Ethereum is not compromised, only BSC + Polygon. Our treasury is robust and our community will decide a compensation package. Investigation ongoing. Read more👇https://t.co/uLIO8K9QDZ— bZx – Fulcrum & Torque (on ETH/BSC/Polygon) (@bZxHQ) November 5, 2021
However, the victim was quick to alert as well as reach out to other protocols as highlighted in the report.
In addition to this, the team traced the hacker’s IP address from the logs on the bZx application and KuCoin account logs.
Now, this wasn’t the first hacking instance for this protocol. Last year, the protocol was on the receiving end of a similar illicit operation. Here, it got caught off-guard by a margin-lending exploit. Later, the team claimed to have recovered the funds at the time.
Overall, projects built on Binance Smart Chain and Polygon registered several attacks over the last year. For instance, the decentralized transaction protocol BXH was attacked on Binance Smart Chain [BSC], leading to a theft of around $139 million at the time of the attack.Source