According to a tweet from bZx, the attacker had gotten access to the private keys that controlled the Binance Smart Chain and Polygon installations, among other things. One of bZx’s engineers had his wallet’s private keys stolen in a phishing assault, according to the company’s post-mortem report published today. A phishing email was sent to him that included a “malicious macro in a Word document that was disguised as a valid email attachment, which subsequently launched a script on his personal computer,” according to the attackers. “It was because of this that his particular mnemonic pocket phrase was compromised.” This exploit provided the hackers with access to the contents of the developer’s wallet and, as a result, the private keys to the BSC and Polygon deployments of the bZx protocol, which they used to compromise the system.
An hour ago it appears that the private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds. The Ethereum deployment is under DAO control and not impacted. We will provide further updates soon.
— bZx – Fulcrum & Torque (on ETH/BSC/Polygon) (@bZxHQ) November 5, 2021
In a statement, the team explained that after acquiring control of BSC and Polygon, the hacker “drained the BSC and Polygon protocol, then modified the contract to enable draining of any tokens for which the contracts had granted limitless authority.”
As a precaution we have temporarily disabled the UI on BSC and Polygon while we investigate events from earlier today. The Ethereum App is unaffected and continuing to function normally. We will continue to provide ongoing updates and we will be releasing a post mortem shortly.
— bZx – Fulcrum & Torque (on ETH/BSC/Polygon) (@bZxHQ) November 5, 2021
The assault targeted lenders, borrowers, and farmers who had monies invested in BSC and Polygon contracts, as well as those who had provided limitless authorization to such contracts prior to the attack. According to bZx, its smart contracts were not affected by the attacker, who also withdrew cash from the BSC and Polygon implementations of the protocol as well.
“This issue has had no impact on the Ethereum deployment, its governance, or the DAO treasury,” the statement said. According to bZx, the project’s DAO treasury contains money that are substantially more than the effect of the event.
According to Slow Mist, a blockchain security business, more than $55 million in cryptocurrency was taken, however the bZx team informed The Block that this amount has not yet been independently verified. It is possible to find the money in six different locations, with the greatest holding $18.4 million and the lowest having $697. Other wallets include $6 million, $13.8 million, $15.5 million, $1.1 million, and $201,255, amongst other amounts of money.
Not for the first time, bZx has been the target of a hacking attempt. It was targeted twice in the previous year. In one of the first few cases of flash loan assaults, which occurred in February, the attackers got off with $366,000 worth of Ethereum. In September, the protocol was targeted again again, this time resulting in a loss of $8 million, which represented 30 percent of the cash it had at the time.