Get Your Own web3 .defi Domains Today!

Get .defi Domains
Get .defi Domains

DeFi News

Daily Defi News from Across the Web

DeFi News

Daily Defi News from Across the Web

Leading Projects

Preliminary Post Mortem

Share this


We are still investigating, as new information comes to light and unfolds, we will update this post with new information.

Update 11/10/2021

Since our last blog post we have been receiving updates from community members that have provided additional information about the identity of the hacker that we would like to share with the community.

As we continue to follow the leads leading to the hacker, we encourage anyone to reach out to the team at [email protected] with any information that may lead to the identification of the individuals involved.

  • Independent Cyber Security Investigation: A security firm has analyzed the spear phishing trojan which was used to execute this attack. They have identified the group they believe to be responsible. We will release additional information as soon as we are able.

  • Timeline Updates:

  • Attack started simultaneously in both chains by changing proxy target
    • polygon: Nov-05-2021 11:07:04 AM +UTC
    • Bsc: Nov-05-2021 11:07:22 AM +UTC
    • 18 second difference, as well as the extent of wallets and contracts attacked within a short timespan, indicates that it was well planned in advance and executed by automated processes
  • Funds Starting Being Removed From Protocol
    • polygon: Nov-05-2021 11:15:02 AM +UTC
    • Bsc: Nov-05-2021 11:14:07 AM +UTC
    • 1 minute difference. Again automated.
  • IP Address: The hacker has used IPs which are linked to two ISPs/VPNs which we have contacted for additional information. The ISP’s are: Ukkoverkot Oy and Leaseweb Deutschland GmbH.
  • Bondly Finance Connection Thanks to the community, we have tracked one of the wallets that the hacker used to a wallet involved in a previous private key hack involving Bondly Finance.

    • We have reached out to the bondly finance team to share information and asked them for any information which they have collected. We are currently awaiting response from them.
    • The first transaction in 0xc433D50DD0614c81EE314289eC82Aa63710D25e8 (bZx PrivKey Exploiter 2) was some Matic received from a wallet related to an exploit on Bondly Finance.
    • Interestingly this exploit was very similar to bzx’s: the hacker got access to a devs password and then manipulated a smart contract from the protocol. More info here: https://bondlyfinance.medium.com/bondly-attack-july-14th-2021-postmortem-beb7cf02e9ba
  • Fixed Float Connection: In preparation for the attack, the hacker sent funds from

    • 0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5 to to 0xeB3ec65e117AaFf24dd3eC8BFfb49D40008Ddbcc (0.4Eth) then to 0x4E5B2e1dc63F6b91cb6Cd759936495434C7e972F (https://fixedfloat.com/)
    • We have reached out to the Fixed Float team and identified that the funds from Fixed Float were sent to bnb14ca5d2lq8s6gere7whdg8zvq9ak9l0hmln8he3
    • Fixed Float is able to send server logs and IP, user-agent, lang-list logs.
    • We believe these funds were used to fund the wallet used in the attack.
  • Recovery of Funds: We had previously explained that after contacting tether we were able to freeze the USDT stolen by the hacker. Tether is working with us to recover the USDT funds blacklisted from the hacker and we’ll update the community once that occurs in the near future.
  • Compensation Plan: There are ongoing forum posts led by the community discussing a potential compensation plan for users. The DAO will vote on how the treasury should be used to compensate users and participants of the platform. As these proposals are discussed and finalized they will proceed through the governance process and be voted on by the DAO.
  • Future Plans: bZx will be moving forward with the pre-existing plans to rebrand and relaunch under a new name November 28th. The protocol will be relaunched on BSC and Polygon after the Compensation plan has been approved by the DAO.

  • Funds Stolen: The total amount of funds stolen on Polygon and BSC is listed below. The vast majority of funds have been converted to ETH. Note the totals below do not include developer funds stolen.

  • Unlimited Approval Funds Stolen:

  • BTCB: 37.15115411
  • CAKE: 158.5665118
  • USDT: 1337188.21
  • BUSD: 2015496.77
  • ETH: 977.0685028
  • LINK: 143080.9047
  • DOGE: 207776.6439
  • WBNB: 533.5679051

  • AUTO: 28.71680644

  • WBTC: 0.34196491
  • WETH: 152.4387401
  • WMATIC: 131.4555542
  • LINK: 129286.6737
  • BZRX: 1903170.918
  • AAVE: 12.450805628288219437
  • USDC: 281845.5396

  • USDT: 91912.24514

  • Protocol Funds Stolen:

  • Cake: 56162.29
  • BTCB: 13.55
  • ETH: 113.11
  • WBNB: 1362.05
  • BUSD: 933327.26
  • LINK: 4710.54
  • AUTO: 72.42
  • USDT: 490434.84
  • BZRX: 9825500.16

  • DOGE: 45828.03

  • WBTC: 33.2980844
  • WETH: 604.30869898
  • WMATIC: 411976.8966
  • LINK: 18223.3992633
  • BZRX: 32707313.5595
  • AAVE: 766.14009443
  • USDC: 323315.96107
  • USDT: 525765.0017

We are still investigating, as new information comes to light and unfolds, we will update this post with new information.

Summary

A bZx developer had his personal wallet’s private keys taken in a phishing attack. The phishing attack was similar to one that affected another user recently named “mgnr.io”.

The ethereum deployment of bZx protocol is safe following the compromise of an individual bZx developer’s computer and their private keys. The Ethereum bZx protocol itself wasn’t exploited. Since bZx Protocol on ethereum is governed by a DAO, the ethereum implementation was not affected. Ethereum Governance is also unaffected.

This attack granted the hacker access to the content of the bZx Developers wallet, and also the private keys to the BSC and Polygon deployment of bZx Protocol. After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval.

Who was affected?

  • A bZx Developer
  • Lenders, borrowers, and farmers with funds on Polygon and BSC, and those who had given unlimited approvals to those contracts. We are gathering data on the specific wallets which were affected by the attack.
  • Funds were also removed from the BSC and Polygon implementation of the protocol.

Impact and Funds Stolen:

_Note: We are investigating further to determine the amount of funds that were stolen. We will update the article once the values have been calculated. _

  • The hacker stole BZRX on BSC and Polygon using the private key then deposited some of the stolen BZRX funds to be used as collateral to borrow against other funds on the protocol.
  • BZRX deployment on Ethereum was not affected and no funds were stolen.
  • Funds held in the Polygon and BSC deployment were drained.
  • A limited number of users who had approved the unlimited spend had funds stolen from their wallet.
  • The developers wallet had all funds drained from their wallet.

Timeline

  • A bZx developer was sent a phishing email to his personal computer with a malicious macro in a Word document that was disguised as a legitimate email attachment, which then ran a script on his Personal Computer. This led to his personal mnemonic wallet phrase being compromised.
  • On November 5, at around 8:30 AM EST the following events happened: bZx received a user report that a user had a negative balance, and utilization rates were high.
  • bZx determined there had been suspicious activity on BSC and Polygon and tracked the stolen funds to the following wallet addresses (see below).
  • Etherscan flagged wallet involved.
  • Notified Circle requesting freezing of USDC.
  • Hacker upgraded the contract, and borrowed against stolen BZRX tokens.

bZx traced the hackers IP Address from the Logs on the bZx application and KuCoin account logs. See below:

IP: 91.234.192.52 
Time: Nov 5, 2021 1:19:33 PM UTC
Chrome Version:95.0.4638
Windows Version:10
Potentially High Fraud Risk ISP lots of VPN Traffic.

blank

The following actions were taken:

  • Contacted Banteg and Mudit Gupta to join us in the war room.
  • Contacted Tether and froze USDT from the hackers wallet. (see addresses below)
  • Contacted Binance and froze the BZRX that was stolen on BSC to prevent it from being transferred.
  • Contacted KuCoin and identified that one of the hackers wallets was used to transfer in and out of the exchange.
  • Disabled the UI on Polygon and BSC to prevent users from depositing.
  • Contacted USDC and requested to freeze USDC in the hackers wallet.
  • Contacted KuCoin to identify the hackers KuCoin account.

We encourage this individual to reach out to the DAO at [email protected] to discuss returning the funds and potential bounty.

What Went Wrong?

The BSC and Polygon implementation administrative private keys have not yet been transferred to the DAO yet. Therefore the BSC and Polygon Deployment did not have the protection of the DAO. When the developers private keys were compromised in a phishing attack the hacker gained access to not only the individual developers personal funds, but also gained access to the bZx deployment on BSC and Polygon. From there the hacker was able to upgrade the contract and perform an attack on users of the protocol and funds held within the protocol.

What went right?

The bZx treasury on Ethereum DAO is safe on the Ethereum deployment because we had already fully decentralized there.

Action Items

  • Determining total funds affected.
  • Working with law enforcement to identify the hacker and recover the funds.
  • Working with Exchanges and investigators to identify the hacker.
  • Relaunching Polygon and BSC implementations under DAO control.
  • Contact ISP/VPN Provider
  • DAO Developing compensation plan for affected users that is appropriate and necessary after the amount lost is calculated and efforts are made to recover funds.

Hacker Wallet Balances:

Polygon

  • 0xafad9352eb6bcd085dd68268d353d0ed2571af89

BSC:

  • 0x74487eed1e67f4787e8c0570e8d5d168a05254d4
  • 0x967bb571f0fc9ee79c892abf9f99233aa1737e31
  • 0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5
    • Hackers Primary Wallet on BSC used in attack

Ethereum

  • 0x74487eed1e67f4787e8c0570e8d5d168a05254d4
  • 0x967bb571f0fc9ee79c892abf9f99233aa1737e31
  • 0x967bb571f0fc9ee79c892abf9f99233aa1737e31
  • 0x74487eEd1E67F4787E8C0570E8D5d168a05254D4
    • $4m in ETH
    • Main Hackers wallet
  • 0x1ae8840ceaef6eec4da1b1e6e5fcf298800b46e6
    • Hackers wallet
    • USDT Frozen
  • 0xAfad9352eB6BcD085Dd68268D353d0ed2571aF89
    • Hacker’s Wallet
    • $1.4m DAI, $243k USDC, $15m ETH
  • 0x967bb571f0fc9ee79c892abf9f99233aa1737e31
    • Hackers wallet
    • $2m in ETH
  • 0x6abcA33faeb7deb1E61220e31054f8d6Edacbc81
    • Hackers wallet
    • 1.5m BZRX
    • Internal Transactions from KuCoin.
  • 0x1Ae8840cEaEf6EeC4dA1b1e6e5FCf298800b46e6
    • Hacker Sent funds OUT from KUCOIN To this address.
About the author

blank



Source link

Recommended For You

blank

Tribe Turbo Launch. 4/20, time to get boosted to the new… | by Brianna Montgomery | Fei Protocol

blank

FEI/TRIBE Genesis Securities SettlementGenesis participants have the opportunity to participate in a class action lawsuit settlement. See if you qualify for settlement funds here: https://www.feitribesecuritiessettlement.com/

blank

Simplifying Crypto Structured Products

blank

Monthly Summary November – December

blank

About the Author: admin

© 2021 Defi - All Right Reserved

Main Menu

Subscribe for Daily DeFi News

Get .defi Domains