We are still investigating, as new information comes to light and unfolds, we will update this post with new information.

Update 11/10/2021

Since our last blog post we have been receiving updates from community members that have provided additional information about the identity of the hacker that we would like to share with the community.

As we continue to follow the leads leading to the hacker, we encourage anyone to reach out to the team at [email protected] with any information that may lead to the identification of the individuals involved.

Preliminary Post Mortem

We are still investigating, as new information comes to light and unfolds, we will update this post with new information.

Summary

A bZx developer had his personal wallet’s private keys taken in a phishing attack. The phishing attack was similar to one that affected another user recently named “mgnr.io”.

The ethereum deployment of bZx protocol is safe following the compromise of an individual bZx developer’s computer and their private keys. The Ethereum bZx protocol itself wasn’t exploited. Since bZx Protocol on ethereum is governed by a DAO, the ethereum implementation was not affected. Ethereum Governance is also unaffected.

This attack granted the hacker access to the content of the bZx Developers wallet, and also the private keys to the BSC and Polygon deployment of bZx Protocol. After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval.

Who was affected?

Impact and Funds Stolen:

_Note: We are investigating further to determine the amount of funds that were stolen. We will update the article once the values have been calculated. _

Timeline

bZx traced the hackers IP Address from the Logs on the bZx application and KuCoin account logs. See below:

IP: 91.234.192.52 \
Time: Nov 5, 2021 1:19:33 PM UTC
Chrome Version:95.0.4638
Windows Version:10
Potentially High Fraud Risk ISP lots of VPN Traffic.

The following actions were taken:

We encourage this individual to reach out to the DAO at [email protected] to discuss returning the funds and potential bounty.

What Went Wrong?

The BSC and Polygon implementation administrative private keys have not yet been transferred to the DAO yet. Therefore the BSC and Polygon Deployment did not have the protection of the DAO. When the developers private keys were compromised in a phishing attack the hacker gained access to not only the individual developers personal funds, but also gained access to the bZx deployment on BSC and Polygon. From there the hacker was able to upgrade the contract and perform an attack on users of the protocol and funds held within the protocol.

What went right?

The bZx treasury on Ethereum DAO is safe on the Ethereum deployment because we had already fully decentralized there.

Action Items

Hacker Wallet Balances:

Polygon

BSC:

Ethereum

About the author
Contributor
Contributor to bZx