bZx (bzx.network): Phishing → Private Key Compromise → Smart Contract Drain
A single bZx developer opened a phishing email on their personal computer, had their seed phrase stolen by a malicious Word macro, and handed an attacker administrative control over two entire blockchain deployments — resulting in $55M lost across Polygon, BSC, and Ethereum.
Summary #
bZx (bzx.network) suffered a Lending / Margin Trading Protocol on 2021-11-05, resulting in a loss of approximately $55M.
What happened #
A single bZx developer opened a phishing email on their personal computer, had their seed phrase stolen by a malicious Word macro, and handed an attacker administrative control over two entire blockchain deployments — resulting in $55M lost across Polygon, BSC, and Ethereum.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the vulnerability was operational (single EOA admin key), not a code bug]
- RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — compromised EOA had admin control over Polygon and BSC deployments; its use constituted an admin action]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — compromised EOA had admin control over Polygon and BSC deployments; its use constituted an admin action]