BSC and Polygon funds drained – but Ethereum contracts ‘safe’ – following phishing attack

bZx crypto heist results in reported losses of more than $55m

bZx, the decentralized finance (DeFi) platform, says “possible terms of compensation” are being discussed as it continue to investigate the theft of millions of dollars’ worth of cryptocurrency funds.

A cybercriminal pulled off the heist after compromising a bZx developer’s PC and stealing their personal cryptocurrency wallet’s private keys via a phishing attack, bZx revealed on Friday (November 5).

The attacker then drained the developer’s wallet and obtained keys to the bZx protocol’s Polygon and Binance Smart Chain (BSC) deployments.

RELATED Polygon pays out record $2 million bug bounty reward for critical vulnerability

The hacker subsequently “drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval”, said bZx in a ‘preliminary post mortem’.

Blockchain security firm SlowMist has estimated that the crypto-thief made off with more than $55 million.

In response, bZx tweeted that “roughly 25% of this figure is personal losses from the team wallet that was compromised”.

Ethereum contracts ‘safe’

The DeFi platform said its Ethereum deployment escaped unscathed because it is governed by a DAO (decentralized autonomous organization) – something it said it will now implement for its BSC and Polygon implementations.

Potential victims include “lenders, borrowers, and farmers with funds on Polygon and BSC, and those who had given unlimited approvals to those contracts”, said bZx.

The DeFi platform said it is still investigating which specific wallets were affected but has confirmed that “a limited number of users who had approved the unlimited spend had funds stolen from their wallet”.

Freezing wallets

bZx found the hacker’s IP address and tracked stolen funds to a number of wallet addresses after being alerted to suspicious activity on a user account on the morning of November 5.

It subsequently disabled the user interface on Polygon and BSC to prevent further user deposits, and contacted Tether, Binance, and USDC, requesting that the cryptocurrency platforms freeze the hacker’s wallets.

Catch up with the latest blockchain security news

In its latest Twitter update posted Sunday (November 7), bZx said: “Over the weekend, we spoke with the law firm funded by the DAO which is assisting with this case and bringing the information collected on the attacker to the FBI… Discussions have begun around possible terms of compensation in various channels.”

bZx has implored the hacker to return the stolen funds, referencing a “potential bounty”.

A similar gambit apparently paid off in September 2020 when a hacker who siphoned $8 million via a security flaw in bZx’s smart contract later agreed to return the stolen funds, bZx co-founder Kyle Kistner claimed at the time.

bZx also succumbed to a pair of quick-fire ‘flash loan’ attacks in February 2020 that together resulted in total losses of $954,000.

YOU MIGHT ALSO LIKE Two charged with deploying REvil ransomware attacks