bZx / Fulcrum Phishing Attack Update

Fulcrum Hack
Share on twitter
Share on facebook
Share on linkedin

The bZx / Fulcrum team has hired crypto lawyer Jason Gottlieb as it continues its pursuit of lost funds – and has begun voting on its proposed compensation plan

DeFi protocols have borne the brunt of several recent attacks and security breaches, causing investor losses running into the millions. 

The bZx Phishing Attack

On November 5th, bZx confirmed in a statement to users that it had suffered a security breach – becoming just the latest victim of concerted attacks by hackers on DeFi networks.

The protocol’s statement indicated that the attack was not a full-blown protocol hack but rather, “it was a phishing attack on a bZx dev.” Losses amount to around $55 million in user funds.

It is not the first time the bZx network, which operates the Fulcrum and Torque lending and borrowing platforms, has been hit – having been previously successfully attacked in 2020.

According to preliminary reports, the phishing attack was carried out against a bZx developer and resulted in the hacker obtaining the dev’s private keys and gaining access to the private keys of the BSC and Polygon deployment of the bZx Protocol which the attacker then used to drain the funds. 

The post-mortem revealed that the phishing attack was carried out through an email containing a malicious macro that rendered the keys vulnerable. The report further revealed that the attack was carried out simultaneously on both chains and the minute time difference indicates that automotive processes were utilized by the hacker.

“After gaining control of BSC and Polygon protocol, the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval,” read the report.

The inquest noted that the reason for the hacker’s success was because “the BSC and Polygon implementation administrative private keys have not yet been transferred to the DAO yet.”

The absence of the DAO’s protection rendered it vulnerable but the protocol states that the treasury on Ethereum DAO was secure because it was fully decentralized. The stolen funds from Polygon and BSC now exceed $55 million according to the updated post-mortem report with the bulk of the pilfered funds being converted to ETH.

Prominent Crypto Lawyer Jason Gottlieb Joins The Response


Specialist crypto attorney Jason Gottlieb has announced he is assisting bZx in its pursuit of the stolen funds and says law enforcement is taking the theft seriously.  Gottlieb says anyone who has suffered losses and wishes to can file an FBI Internet Crime Complaint at IC3.gov – being sure to use the letters ‘BZX’ in their filing to assist law enforcement in collating the reports.

bzx Jason Gottlieb
Crypto Attorney Jason Gottlieb

As the chair of New York law firm Morrison Cohen’s White Collar and Regulatory Enforcement Practice Group, Gottlieb is a  leading cryptocurrency litigation and enforcement attorney. He is the driving force and principal author of Morrison Cohen’s famed Cryptocurrency Litigation and Regulation Tracker which has been the go-to resource for major developments in the crypto legal and litigation world since its launch in 2018. 

Tracking bZx’s stolen funds

Since the attack, users of the protocol have voiced their displeasure on Twitter and protocol forums. Apart from seeking reimbursements, some users have threatened to pull the rest of their investments from the protocol because of the recurrence of security breaches.

bzx hack tweets
bZx users take to Twitter

The attackers have not been 100% successful in their efforts. The post-mortem reveals that Tether has agreed to freeze the stolen USDT and that the stablecoin issuer is working to return the funds. Binance followed suit and froze the BZRX that was stolen from the network. 

Within minutes of the discovery of the breach, bZy halted deposits from users by deactivating its user interface and reached out to Kucoin in an attempt to unveil the identity of the hackers.

An independent investigation was carried out to complement local efforts and so far, the investigating firm believes it might have unraveled the group behind the attack and  will release that information upon completion of its investigations.

Details of the hacker’s IP addresses have been revealed and investigating bodies are already corresponding with the ISPs. Their search goes on to unearth a link in one of the hacker’s wallets with Bondly Finance and is collaborating with them to solve the breach. A connection with Fixed Float was also revealed in the course of the investigation and from all indications, Fixed Float’s team is cooperating with the inquest.

 In a November 20th update, bZx says it has “identified a number of links to major exchanges” and other projects which the hacker has interacted with and stolen funds from. The company says a considerable portion of the stolen assets have been converted into ETH and transmitted through Tornado Cash.

bZx Phishing Compensation Package

The protocol has now released details of its proposed compensation package which is currently being voted on. Voting ends on November 22nd – currently 100% of votes are in favor of adopting the solution. In short the package has three main components.

  • All those who lost BZRX in the attack (except for the development team) be compensated in full directly from the bZx DAO with BZRX.

  • The development team’s personal losses of BZRX will also be compensated in full, but they will be paid in vBZRX (not BZRX) which will vest slowly until July 2024.

  • All other losses resulting from the attack (in all other tokens) will be compensated by issuing a debt token at a 25% premium to be repaid over time by the protocol from 20% of protocol revenue and fees.

Going forward it appears the project will be rebranding on November 28th. The rebrand will include a total name change and a relaunch after the compensation scheme has been concluded. It was also disclosed that the protocol will be relaunched on BSC and Polygon.

BZX is a DeFi protocol for margin trading, lending, and borrowing and prides itself as a community-run project. The BZRX token is the governance token and currently trades at $0.2973. Presently, the protocol supports Ethereum, Polygon, and Binance Smart Chains and has insurance coverage with Tidal Insurance against hacks. Its smart contracts have been audited by PeckShield, ZK Labs, and CertiK.