Cyber-criminals have siphoned an estimated $55m from decentralized finance (DeFi) lending protocol bZx.
The crypto company said that the theft occurred on Friday after one of its developers was taken in by a phishing attack and unwittingly gave up the details of some private keys.
The phishing email was sent to the victim’s personal computer with a malicious macro in a Word document that was disguised as a legitimate email attachment.
“This attack granted the hacker access to the content of the bZx developer’s wallet, and also the private keys to the BSC and Polygon deployment of bZx Protocol,” said bZx.
“After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval.”
In a tweet issued on November 5, bZx said: “The incident today was NOT a protocol hack. It was a phishing attack on a bZx dev.”
While an investigation into the attack is ongoing, a preliminary postmortem regarding the incident was issued by bZx earlier today.
“A bZx developer had his personal wallet’s private keys taken in a phishing attack. The phishing attack was similar to one that affected another user recently named ‘mgnr.io’,” said bZx in the postmortem.
The company said its initial investigation had determined that the Ethereum deployment of bZx protocol is safe and that the Ethereum bZx protocol itself wasn’t exploited.
“Since bZx Protocol on Ethereum is governed by a DAO, the Ethereum implementation was not affected. Ethereum Governance is also unaffected,” said the company.
The company said that it is still gathering data on the specific wallets that were affected by the attack. However, it confirmed that the incident has affected the bZx developer and lenders, borrowers, and farmers with funds on Polygon and BSC, plus individuals who had given unlimited approvals to those contracts.
All funds contained in the wallet of the phished developer were drained. Funds were also removed from the BSC and Polygon implementation of the protocol.
The company said that its “treasury is robust” and that its “community will decide a compensation package.”