bZx, a widely-used DeFi protocol, has lost $55 million to an unknown hacker who it claims gained illegitimate access to its private key. It is still not clear how the hackers carried out the attack.
Hacker Drains Funds After Compromising Private Key
bZx, a multi-chain decentralized finance (DeFi) project, has reported that a private key securing its smart contracts on Polygon and Binance Smart Chain (BSC) was compromised.
“It appears private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds,” the team confirmed in a Twitter post.
After the private key compromise, an unknown hacker successfully drained $55 million worth of assets from its liquidity pools, security firm Slow Mist estimates.
Roughly 25% of this amount was lost from the wallet, the team claimed, and the remaining belonged to its users. To prevent further losses, the team has asked its users to revoke permissions they have given to the affected contracts.
The team added that its Ethereum smart contract was not affected by the hack. The reason for this was that the private key to bZx’s Ethereum deployment was secured by a multi-party contract and governed through a DAO.
The team is yet to explain how hackers stole the private key controlling its Polygon and BSC contracts. It is expected to present a post-mortem report in the coming days.
It is noteworthy that bZx was attacked last year as well. Later, the team claimed to have recovered the funds at the time. Incidents like the bZx hack are not an uncommon occurrence for projects building on Binance Smart Chain and Polygon; both EVM-based blockchains have registered several attacks over the last year.
Today’s bZx attack adds to the long list of on-chain hacks that have previously taken place on Polygon and BSC. The biggest among them was Poly Network, a cross-chain DeFi project similar to bZx, that suffered a $611 million hack.