DeFi Lender bZx Loses $55 Million in Private Key Leak

The bZx DeFi protocol has had funds drained from its Binance Smart Chain (BSC) and Polygon contracts after one of the developers had his private key stolen in a phishing attack.

Late last week, Ethereum-based bZx was hacked for an estimated US$55 million. The project tweeted that “the private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds”. This comes after bZx was hacked in 2020 for US$6 million and US$8 million on two separate occasions.

On the morning of November 5, the company received a series of notifications about suspicious activity, and a flagged wallet address behind the actions. The team later found that a hacker had used the stolen private key to access BZRX contracts on BSC and Polygon, as well as the developer team wallet. The code in the contracts was then updated to enable the extraction of tokens from any wallet that had granted token approvals to the affected contracts. Lastly, the hacker used all the funds as collateral to borrow against other funds on the protocol.

“Roughly 25 percent of this figure is personal losses from the team wallet that was compromised,” bZx said on Twitter. And according to a further breakdown by SlowMist, these funds are stored in seven separate addresses believed to be controlled by the hacker. However, bZx has claimed that it has the funds in its DAO treasury to cover the exploit.

Since the project’s Ethereum deployment is under the governance of a decentralised autonomous organisation (DAO), funds on that particular chain are reportedly safe from the incident.

Developer Targeted With Phishing Attack

The targeted bZx developer had their private key stolen through a phishing email, sent to his personal computer with a malicious script hidden in a Word document. Disguised as a legitimate email attachment, when opened the document ran a script which led to the developer’s personal mnemonic wallet phrase being compromised.

As soon as the team noticed, they notified Circle and Tether, requesting to freeze the stolen USDC/USDT in the hacker’s wallet, then contacted KuCoin to identify the hacker’s KuCoin account to pursue further action.

There’s Still Work to Do in DeFi

Last year, the protocol was caught off-guard by a margin-lending exploit, one of the first instances of a flash loan exploit – flash loans allow people to borrow huge sums of cryptocurrency to make an arbitrage trade, so long as they instantly pay back the funds. As the nascent DeFi industry evolves, there will be many growing pains for developers and investors alike.

In the past year there have been many hacks and exploits in the DeFi sector, including multimillion-dollar hacks of Indexed Finance, Zabu Finance and C.R.E.A.M Finance, to name a few.