$55 040 000 USD
DESCRIPTION OF EVENTS
"bZx (formerly known at b0x) was conceived in August 2017." "bZx was founded by Tom Bean, a self-starter with years of experience working with top-profile car companies using GPS technology." "The project first started publicly marketing themselves during ETHDenver in 2018. Since then, the protocol published their formal whitepaper in February of 2018, followed by a testnet release in April and a full mainnet launch in August of the same year." "The bZx team currently lists 8 team members and 3 advisors on their official website."
"bZx is a set of smart contracts built on top of Ethereum that allows people to lend and margin trade without having to rely on third parties." "Fulcrum is a powerful DeFi platform for tokenized lending and margin trading." "Fulcrum is a decentralized margin trading platform. There is no need for any verification, KYC or AML." "It is the first and only completely trustless platform for margin; it does not use centralized price feeds or centrally administered margin calls. It is permissionless and rent free; there are no fees and no accounts. Fulcrum is built on the bZx base protocol and extends the protocol by allowing both loans and margin positions to be tokenized." "Enjoy a frictionless trading experience with positions that automatically renew and zero rollover fees."
"bZx has been heavily focused on solidifying strong industry partnerships with key players including but not limited to MakerDAO, Kyber, ChainLink, Augur and Set Protocol." "The bZx base protocol [was] audited by leading blockchain security auditor ZK Labs."
"The margin trading lending platform bZx tweeted that the private keys controlling Polygon and Binance Smart Chain (BSC) deployment appeared to have been leaked, resulting in a loss of funds." "On November 5, at around 8:30 AM EST the following events happened: bZx received a user report that a user had a negative balance, and utilization rates were high."
"A bZx developer had his personal wallet’s private keys taken in a phishing attack. The phishing attack was similar to one that affected another user recently named “mgnr.io”."
"The ethereum deployment of bZx protocol is safe following the compromise of an individual bZx developer’s computer and their private keys. The Ethereum bZx protocol itself wasn’t exploited. Since bZx Protocol on ethereum is governed by a DAO, the ethereum implementation was not affected. Ethereum Governance is also unaffected."
"The BSC and Polygon implementation administrative private keys have not yet been transferred to the DAO yet. Therefore the BSC and Polygon Deployment did not have the protection of the DAO."
"On 5 Nov 2021, a developer’s personal wallet was compromised in a targeted phishing attack, and since he controlled the admin private keys to the BSC and Polygon deployments of Fulcrum, those deployments were compromised as well. The Ethereum deployment is controlled by the bZx DAO, and was not compromised and is not directly affected." "When the developers private keys were compromised in a phishing attack the hacker gained access to not only the individual developers personal funds, but also gained access to the bZx deployment on BSC and Polygon. From there the hacker was able to upgrade the contract and perform an attack on users of the protocol and funds held within the protocol."
"This attack granted the hacker access to the content of the bZx Developers wallet, and also the private keys to the BSC and Polygon deployment of bZx Protocol. After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval."
"Kaspersky believes that the attack was executed by the Lazarus/Bluenoroff Advanced Persistent Group, a group with a long a history of attacking financial institutions and cryptocurrency exchanges. The Lazarus Group has strong links to North Korea and is known as a state-sponsored hacking organization. Kaspersky has investigated a number of attacks performed by Lazarus in 2017, 2019, and 2020. Kaspersky reached the conclusion that the November 5th bZx attack was likely conducted by the Lazarus group based on their analysis of the phishing email, and it’s similarity to other tools used by the Lazarus Group. In addition to the analysis of the email, and the email attachment, Kaspersky concluded that the signature of the attack aligns with previous attacks that were also conducted by the Lazarus group."
"As a result of this attack, approximately $55 million worth of cryptocurrency (prices at the time of the attack) was stolen by the attacker, from both the protocol smart contracts on BSC and Polygon and from individual user wallets which had given token spending approval to the Fulcrum smart contracts on BSC/Polygon and not revoked it."
"The stolen assets include a number of tokens, and by far the largest part of the stolen assets are in the bZx native token, BZRX (approximately 42m BZRX, worth around $19m at the time of the attack, or more than 1/3 of the total attack value). I understand from the Telegram discussions that more than half of the BZRX stolen was the personal assets of the development team - approximately 22m BZRX, as well as a significant but unknown portion of the other stolen assets."
"The bZx smart contract itself was not compromised, and the deployment, governance and DAO vault of Ethereum were not affected by this incident. Users are reminded that if any token bZx contract is approved on Polygon or BSC, please revoke the approval as soon as possible."
"The following actions were taken: Contacted Banteg and Mudit Gupta to join us in the war room. Contacted Tether and froze USDT from the hackers wallet. Contacted Binance and froze the BZRX that was stolen on BSC to prevent it from being transferred. Contacted KuCoin and identified that one of the hackers wallets was used to transfer in and out of the exchange. Disabled the UI on Polygon and BSC to prevent users from depositing. Contacted USDC and requested to freeze USDC in the hackers wallet. Contacted KuCoin to identify the hackers KuCoin account."
"bZx DAO has voted on and approved the compensation plan to refund victims of the attack on November 5th, 2021. The compensation plan was a community led initiative originating from the forum discussions." "Details of the final plan are set out in the snapshot vote. All those who lost BZRX in the attack (except for the development team) will be compensated in full directly from the bZx DAO with BZRX. This will involve a payment of about 20m BZRX, or less than half of the liquid BZRX in the treasury directly to victims."
"The development team’s personal losses of BZRX will also be compensated in full, but they will be paid in vBZRX (not BZRX) which will vest slowly until July 2024."
"All other losses resulting from the attack (in all other tokens) will be compensated by issuing a debt token at a 25% premium to be repaid over time by the protocol from 30% of protocol revenue and fees (so protocol revenue breakdown will be 50% to Ooki/BZRX holders, 30% to debt token and 20% to treasury)."
"The name of the debt token is P125, this token will be distributed as compensation for the attack in Nov 2021 that resulted in user funds being stolen by an attacker P125 has a face value of $1, and is issued with a 25% premium to those who lost funds in the incident (so each $1 lost receives 1.25 P125)."
"The protocol will buy back P125 every month using 30% of all protocol revenues (up to a P125 price of $1) and in this way eventually reimburse all losses suffered as a result of the incident."
"Any assets recovered from the attacker (unknown at this time, although there is speculation that some of the USDT may be recoverable) will be given directly back to the victims who lost that particular token. So for example, if 50% of USDT is recovered, then it will be shared among all victims who lost USDT in proportion to their losses, and their allotment of the debt token accordingly reduced. However, this only applies until the debt token is issued and claimed. Once the debt token is issued, all recoveries will be used to market buy the debt token and benefit all victims equally. This is done to prevent double-dipping by victims of the recovered currency - you cannot get debt tokens for all your losses AND get a share of the recovered assets."
""We have been in contact with law enforcement agencies and have the following updates for the community of bZx holders who have had funds stolen from this recent attack and have been seeking information related to the FBI case number."
"The DOJ’s Victim Notification Program details here: can be contacted. A Victim Specialist can generate Victim Notification Letters which can be mailed or emailed to users who have been hacked."
"The letter will contain the FBI case number. The letter states that the case is open and under investigation and to contact the FBI Victim Specialist if they want to discuss services/resources."
"We are currently working with law enforcement to obtain warrants from exchanges and other platforms that the hacker has interacted with in order to obtain identifying information. All information that we have gathered is being turned over to law enforcement to assist them in their investigation. The hacker has converted a large amount of stolen assets into ETH and transmitted them through Tornado Cash. Best efforts are being made to continue tracking these assets as long as possible."
"The team is actively preparing to launch the bZx deployments on Binance Smart Chain and Polygon with enhanced security measures. These new security measures will prevent and ensure that the protocol is safe from spear phishing attacks in the future."
"All deployments will ultimately be transferred to full DAO control after remaining technical issues are resolved relating to multichain DAO governance. A multisig requiring approval of multiple team members backed with hardware wallets will be used to secure these deployments as a temporary measure until full DAO control, eliminating the possibility for a similar attack to succeed. Previously the BSC and Polygon deployments were under off-chain governance. Governance was conducted via snapshot votes, and then enacted by a deployer controlled by a single key. This model has been updated to a Three-of-Five multi-sig secured by hardware wallets."
"[T]he stolen BZRX which was used as collateral on the hackers loans have been liquidated thereby restoring liquidity to several loan pools. All hacker BZRX on Binance Smart Chain are currently frozen and cannot be sold or moved off the chain for the time being."
"The compensation is at the on-chain vote stage. Assuming the on-chain vote passes, the funds will be released from the DAO." "bZx will continue to provide updates on the compensation plan, investigation, and progress towards recovery of funds as new information becomes available."
"bZx DAO has voted on and approved the compensation plan to refund victims of the attack on November 5th, 2021. The compensation plan was a community led initiative originating from the forum discussions. Following a lengthy forum discussion a community consensus was formed and the plan was submitted for snapshot vote, then DAO vote and subsequently approved by the DAO."
"Following the approval of the plan, the treasury has released the funds and the proposal has been implemented." "Details of the final plan are set out in the snapshot vote. All those who lost BZRX in the attack (except for the development team) will be compensated in full directly from the bZx DAO with BZRX. This will involve a payment of about 20m BZRX, or less than half of the liquid BZRX in the treasury directly to victims. The development team’s personal losses of BZRX will also be compensated in full, but they will be paid in vBZRX (not BZRX) which will vest slowly until July 2024."
"A dedicated compensation page has been developed which will allow users to check the tokens they are able to claim under the compensation plan. This reimburses users who lost BZRX in the following pools: bzrx lost in infinite approval, ibzrx, pgov/bgov, masterchief, sushi lp."
A bZx developer had control to single-handedly make modifications to the bZx smart contract hot wallet. The developer fell victim to a spear phishing attack, and ended up revealing their key. This key alone allowed the phishing attacker to modify contracts and withdraw over $55m in funds from multiple users.
The community was able to determine a significant amount of information about the attacker. Based on Kaspersky analysis, it appears to be the Lazarus group (closely linked to the North Korean government). Some of the funds have since been recovered and a compensation plan is underway which is expected to fully compensate all affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
This situation would be completely prevented through the use of a multi-signature setup. Keys should also be stored completely offline. It seems like this is the solution which is being proposed.
SlowMist Hacked - SlowMist Zone (Nov 6)
Fulcrum Trade - bZx Decentralized Lending & Margin Trading (Jun 26)
What is bZx? A 3-minute guide to the defi trading platform - Decrypt (Jun 26)
bZx Protocol blog - product news and articles (Dec 15)
Preliminary Post Mortem (Dec 15)
Post Mortem Update (Dec 15)
bZx Compensation Plans (Dec 15)
Snapshot (Dec 15)
Consolidated Compensation Proposal for Victims of 5 Nov 2021 BZX Attack - bZx Community Forum (Dec 15)
bZx Community Update (Dec 15)
https://www.justice.gov/criminal-vns (Dec 15)
bZx Community call #32 (Dec 16)
https://blog.insurace.io/security-incidents-in-october-cfed829449d0 (Dec 16)
https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1)
A hacker stole more than $55 million in crypto after a bZx developer fell for a phishing attack (Apr 9)