Cyber-criminals have successfully stolen an estimated $55 million from bZx, a decentralized finance (DeFi) lending protocol. The theft occurred on Friday when a developer fell victim to a phishing attack, unknowingly giving up the details of some private keys.
The phishing email was sent to the developer’s personal computer, containing a malicious macro in a Word document disguised as a legitimate email attachment. This allowed the hacker to access the developer’s wallet content and private keys to the BSC and Polygon deployment of bZx Protocol. With this access, the hacker drained the BSC and Polygon protocol and upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval.
bZx clarified in a tweet that the incident was not a protocol hack but a phishing attack on one of its developers. An investigation is currently underway, with a preliminary postmortem report already issued by bZx.
The company confirmed that its Ethereum deployment of the bZx protocol is safe and was not exploited in the attack. As the Ethereum implementation is governed by a DAO, it remained unaffected. However, the incident did impact the bZx developer, as well as lenders, borrowers, and farmers with funds on Polygon and BSC, along with individuals who had given unlimited approvals to those contracts.
All funds in the developer’s wallet were drained, and funds were also removed from the BSC and Polygon implementation of the protocol. Despite this, bZx reassured its community that its treasury is robust and that a compensation package will be decided upon by the community.
In conclusion, the cyber-criminal attack on bZx highlights the importance of cybersecurity measures in the cryptocurrency industry. It serves as a reminder for developers and users to remain vigilant against phishing attacks and to implement robust security protocols to safeguard their assets.