Cyber-criminals have successfully stolen an estimated $55 million from the decentralized finance (DeFi) lending protocol bZx in a recent phishing attack. The theft occurred when a bZx developer fell victim to a phishing email that contained a malicious macro disguised as a legitimate attachment. This allowed the hackers to gain access to the developer’s wallet and private keys for the BSC and Polygon deployment of the bZx Protocol.
After gaining control of the BSC and Polygon protocols, the hackers drained the funds and upgraded the contract to allow for the draining of all tokens with unlimited approval. bZx clarified in a tweet that the incident was a result of a phishing attack on a developer, rather than a hack on the protocol itself.
An investigation is currently underway, with bZx releasing a preliminary postmortem report on the incident. The company confirmed that the Ethereum deployment of the bZx protocol was not exploited and remains safe. As the Ethereum implementation is governed by a DAO, Ethereum governance was also unaffected.
While specific details on the affected wallets are still being gathered, it has been confirmed that the attack impacted the bZx developer, lenders, borrowers, and farmers with funds on Polygon and BSC, as well as individuals who had given unlimited approvals to those contracts. All funds from the developer’s wallet were drained, and funds were also removed from the BSC and Polygon implementations of the protocol.
Despite the significant loss, bZx assured its community that its treasury is secure and that a compensation package will be decided upon by the community. The company continues to investigate the incident and implement necessary security measures to prevent similar attacks in the future.