On November 5, 2021, a hack of the bZx protocol was reported by SlowMist. The attacker stole over $55 million in tokens from the platform, a developer, and some bZx users.
Inside the Hack
The bZx hack started as a phishing email sent to a bZx developer’s computer. This email contained a malicious Word document that included malicious macros. These macros ran a script on the developer’s personal computer that stole the employee’s private mnemonic seed phrase and the private keys used to deploy the bZx protocol on Polygon and Binance Smart Chain (BSC).
Mnemonic keys are designed to make it easier to remember private keys, and a private key can be derived from this information. As a result, the compromised seed phrase was used to drain the developer’s personal wallet, and the compromised bZx keys were used to steal the platform’s funds and to drain funds from the wallets of users that permitted unlimited spend operations for tokens on the platform.
Lessons Learned From the Hack
The bZx hack occurred due to a compromised private key, which provided the attacker with full control over the associated account. Another recent major hack of the BXH Exchange also involved a compromised private key.