Attackers are stepping up their efforts to harm the crypto industry. In the latest attack, a DeFi platform, bZx, has now lost an estimated $55 million worth of cryptocurrencies. The attack comes at a time when regulators and critics are calling for stronger actions to make the industry safer and better for investors.
What Happened?
Hackers gained access to the bZx network by deploying a phishing program embedded in a Microsoft Word document and sent to the PC of one of bZx’s developers. The attack was successful and resulted in the developer’s wallet being compromised. The hackers gained access through the wallet’s private keys and quickly moved a huge amount of money through tokens. Upon gaining entrance via the private keys, the hackers had access to the Polygon and BSC protocols and also to the smart contracts of those users who had not set a restriction on transactions on their wallets.
The stolen monies came from funds on the Binance Smart Chain and Polygon which the developer had, and which the DeFi users had staked, lent, borrowed, or farmed. Although the attackers gained access to the protocol, the Ethereum protocol hosting the DAO vault and governance was not affected. The attacker sent the tokens on a round trip including Binance, Kucoin, and Circle.
Post-attack evaluation by Slowmist, a leading Blockchain Auditor, estimated the total amount of the stolen funds to be $55 million.
Rising Attacks on DeFi Platforms
This is not the first time that a DeFi platform suffered phishing attacks. Just two days ago, a hacker gained unlawful access to BZRX via phishing attacks that compromised private keys. Upon gaining access, the hacker stole BZRX tokens and other tokens on Polygon and BSC and then used the stolen BZRX tokens as deposits for future borrowing on the protocol.
bZx was a victim of a phishing attack in February 2020 that saw $500,000 worth of Ethereum stolen from the protocol. That incident forced the developers to implement Layer-2 security protocols and an external audit of the protocol. bZx is responding similarly by working to improve the network’s security and collaborating with law enforcement agencies to identify the attacker.
In the meantime, bZx has warned users of its protocol to cancel every pending transaction and stay tuned for updates. They are also working on a compensation plan for affected users. bZx has also put up a public post appealing to the hacker to return the funds; it even included a bounty. Hackers have been known to return stolen funds. Recently, hackers returned nearly half of $610 million stolen from PolyNetwork in August.
Safety of funds has been a tough case in the cryptocurrency industry. Government regulators have severally highlighted the risks of hacks gaining unauthorized access via malicious attacks and making away with funds. Although this is one of the risks of a decentralized system, experts believe that law enforcement agencies can work with developers to create a system that prevents such attacks in the future.