DeFi bZx Losses $55M After its Developer’s Private Key Was Compromised In A Phishing Attack
Trading and lending platform bZx suffered an exploit of $55 million in yet another round of compromise.
The decentralized finance (DeFi) protocol reported on Friday that the private key controlling the project’s deployments on Polygon and Binance Smart Chain (BSC) was compromised, leading to the loss of funds. The Ethereum deployment, however, is not impacted and continues to function normally.
“The Ethereum contracts and treasury remains safe. Roughly 25% of this figure is personal losses from the team wallet that was compromised.”
As a precaution, bZx has temporarily disabled the UI on BSC and Polygon. If anyone has approved any tokens to the bZx contracts on Polygon or BSC, they are asked to revoke their approvals as soon as possible.
The bZx team noted that the decentralized autonomous organization (DAO) treasury has funds significantly above the impact of the incident, and they will have a community vote to use the funds from the treasury as a backstop to make victims whole.
Blockchain security firm SlowMist alerted that these funds were siphoned from the project and kept in seven separate addresses.
In its post mortem, the project noted that a bZx developer had his personal wallet’s private keys stolen in a phishing attack.
Because, unlike Ethereum, the BSC and Polygon implementation administrative private keys haven’t been transferred to the DAO yet, the hacker used the private key to gain access to the individual developer’s personal funds and the bZx deployment on BSC and Polygon.
The hacker then was able to upgrade the contract and attack the protocol and funds held within it.
Overall, the bZx developer was not the only one affected; lenders, borrowers, and yield farmers with funds on Polygon and BSC and those who had given unlimited approvals to those contracts.
In response, the token BZRX dropped about 21% to $0.378. As of writing, the $131 million market cap cryptocurrency is trading at $0.385.
However, this wasn’t the first time the project suffered an attack, as on three other occasions [1st hack, 2nd hack, 3rd hack], it was hacked. During the recent exploit in September 2020, the project lost over $8 million, but it claims to have “recovered” all of the funds.
“Any attack on crypto is bad for everyone. This is not about one project against another. It's about crypto in general against the rest of the world. Any failure goes to the expense of the entire crypto community. Let's stand together and show the world that we are capable of shaping the future.”