Analysis of the Exploit that Executed on bZx
On Nov 5, 2021, bZx, a DeFi application was exploited. This is another incident that was caused by its admin’s private key being…
On Nov 5, 2021, bZx, a DeFi application was exploited. This is another incident that was caused by its admin’s private key being compromised. The application suffered loss of assets on its pools deployed on both BSC and Polygon. Users who approved their token transfer rights for bZx should revoke their approvals asap.
Before the incident happened, bZx’s admin upgraded its contract and transferred the admin right at around 11:07 AM UTC on Nov 5, 2021.
Basic Information About the Incident:
The exploiter’s addresses:
- 0x74487eEd1E67F4787E8C0570E8D5d168a05254D4
- 0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5
- 0x967BB571F0Fc9Ee79c892aBF9f99233AA1737E31
- 0x6551Fb9BE444987F7482012CBf7ea95A1ee8DD0e
The exploiter exchanged part of exploited tokens to BNB and MATIC and transferred them to:
0xAfad9352eB6BcD085Dd68268D353d0ed2571aF89.
The total amount of tokens exploited on both BSC, and Polygon were valued at 21 million USD.
The gas that was used to launch the exploitation came from Tornado.Cash on Ethereum and was subsequently transferred to BSC and Polygon via a cross-chain bridge
The hash value of the transaction that obtained the gas from Tornado.Cash was:
0xb2472b5a8ddbf44639622110b31d4928f3b7e4db23e6b713ec268d68eb5ea730