On Nov 5, a bad actor managed to steal a trove of BZRX tokens and other cryptocurrencies on BSC and Polygon by using bZx private keys that were obtained in a phishing attack. The attacker was then able to deposit the stolen BZRX as collateral to borrow against other funds on the protocol.
bZx is an L2 DeFi margin lending protocol that runs on Ethereum, Polygon, and BSC. The deployment, governance, and DAO vault on Ethereum were not affected by the phishing attack, nor was the bZx smart contract.
The attack granted the hacker keys to the Polygon and BSC deployment of the bZx protocol and affected lenders, borrowers, and farmers, and those who had given unlimited approvals to those contracts. Funds were then removed from the BSC and Polygon implementation of bZx.
Blockchain ecosystem auditors Slowmist estimated the value of the lost funds to be in the region of $55M.
Timeline of the attack
bZx released a preliminary report on the attack method, timeline, and repercussions. Initially, a developer’s mnemonic wallet phrase was compromised.
Early on, bZx was notified of a negative balance in a user’s account and that utilization rates were high. Thereafter bZx determined there had been suspicious activity on the Polygon and BSC deployments, and tracked stolen funds to wallet addresses. The attacker moved the stolen funds throughout Binance, KuCoin, and Circle, who were notified to take mitigatory action.
Etherscan, a tool to view data on any pending or confirmed Ethereum blockchain transactions, revealed the addresses of the wallets containing the stolen funds.
Polygon:
0xafad9352eb6bcd085dd68268d353d0ed2571af89 (2 million BZRX)
BSC:
0x74487eed1e67f4787e8c0570e8d5d168a05254d4 (10 million BZRX)
0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (2.5 million BZRX)
0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5 (Primary hacker wallet)
Ethereum:
0x74487eed1e67f4787e8c0570e8d5d168a05254d4 (10 million BZRX)
0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (12 million BZRX)
0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (82K BZRX)
0x74487eEd1E67F4787E8C0570E8D5d168a05254D4 (4 million ETH, primary hacker wallet)
0x1ae8840ceaef6eec4da1b1e6e5fcf298800b46e6 (USDT was frozen, hacker wallet)
0xAfad9352eB6BcD085Dd68268D353d0ed2571aF89 ($1.4 million DAI, $243K USDC, $15m ETH, hackers wallet)
0x967bb571f0fc9ee79c892abf9f99233aa1737e31 (2 million ETH, hacker wallet)
0x6abcA33faeb7deb1E61220e31054f8d6Edacbc81 (1.5 million BZRX, hacker wallet, internal transactions from KuCoin)
0x1Ae8840cEaEf6EeC4dA1b1e6e5FCf298800b46e6 (Hacker sent funds out from KuCoin to this address)
bZx response
bZx claims that it is working with law enforcement, exchanges, and investigators to identify the perpetrator and recover the stolen funds. It’s relaunching the Polygon and BSC deployments under Decentralized Autonomous Organization (DAO) control and are developing a compensation plan for affected users.
It’s also published a message to the attacker, encouraging them to return the stolen funds in return for a bounty. Users are reminded to revoke any bZx contract approval on Polygon or BSC.
An earlier bZx attack in February 2020 saw $500.000 in ETH stolen. After that, the DeFi lending protocol team worked to strengthen security on L2 by allowing an external audit of the core protocol.
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.