Stop us if you’ve heard this one before. DeFi protocol bZx, a lending protocol built atop Ethereum and Binance Smart Chain, has been hacked for at least $55 million, according to blockchain security firm SlowMist.
bZx told Decrypt, “That $55m hasn’t been verified internally.”
Tweeting about the incident, the protocol team stated, “The bZx smart contracts themselves were not compromised. This incident only impacted the Polygon and BSC deployments via a compromised key.” Ethereum contracts weren’t compromised, it says.
#bZx private key compromised, over $55 million dollars stolen so far. We’ll continue to update as more information is discovered. @RektHQ @ChainNewscom @bZxHQ https://t.co/SM6WWDt06J pic.twitter.com/39S05IiBFr
— SlowMist (@SlowMist_Team) November 5, 2021
Last year, the protocol was on the receiving end of two hacks, which hobbled its ability to take advantage of rising popularity in the nascent decentralized finance (DeFi) industry, which leverages blockchain technology to cut out middlemen from loans, savings, and swaps.
In February 2020, when the total value of crypto assets committed to Ethereum-based DeFi protocols was worth less than $1 billion, bZx got caught off-guard by a margin-lending exploit. In one of the first instances of a flash loan exploit (flash loans allow people to take out huge sums of cryptocurrency to make an arbitrage play so long as they instantly pay back the funds), bZx came out short 1,300 wrapped ETH. The theft, worth $366,000 then, would be valued at close to $6 million today.
A September 2020 exploit drained 30% of the funds locked into the bZx protocol, then worth $8 million. Though bZx paused the protocol, it later reported that “those funds outlined have been debited against our insurance fund.” In other words, actual users with open margin positions didn’t get hurt.
Now, with the Ethereum DeFi market having ballooned to over $170 billion and BSC and other chains getting in on the act, the price tag (which bZx is working to verify or update) is getting higher. Regardless, says bZx, it has the funds in its DAO treasury to cover the exploit.