DeFi protocol bZx just hits phishing attack, estimated damage $55 million

The DeFi sector is growing at a dizzying pace with the TVL being over $250 billion at press time. However, this ever-growing ecosystem still has a disturbing dark corner.

In the first four months of 2021, DeFi lost about $240 million. These are estimates for only publicly known cases, when the reality could be in the billions of dollars.

bZx, a DeFi protocol built on both Ethereum and Binance Smart Chain, has become the latest victim of a $55 million exploit because of a developer mistake.

According to a tweet thread from bZx executives:

“An hour ago it appears that the private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds. The Ethereum deployment is under DAO control and not impacted. We will provide further updates soon.”

The Ethereum implementation, governance, and treasury of the DAO are all unaffected as bZx’s Ethereum implementation private key is secured by a multi-party contract and regulated through the DAO.

According to estimates by security firm Slow Mist, “more than $55 million was stolen.”

About 25% of the aforementioned funds are from the wallet while the rest belongs to its users.

“We are still investigating this incident. If you have approved any token for bZx contract on Polygon or BSC, please cancel your approval as soon as possible,” stated the team.

bZx temporarily disables the user interface on BSC and Polygon. Meanwhile, the Ethereum App continues to function normally.

A phishing attack?

After this unfortunate event, the team behind the protocol quickly announced some more updates that “today’s incident was NOT a protocol hack. It was a phishing attack against a bZx developer”.

This attack gave hackers access to the contents of the bZx developer wallet, as well as the private keys to the bZx Protocol’s BSC and Polygon implementations. The hackers drained funds on BSC and Polygon.

In addition, the team traced the hacker’s IP address from the logs on the bZx app and the KuCoin account logs.


This is not the first case of a hack for this protocol. Last year, the protocol experienced a similar incident, specifically, it was caught off-guard by a margin lending exploit. The team claims to have recovered the funds at the time.

Follow us on Telegram

Follow us on Twitter

Follow us on Facebook

You might also like