Within one week of November 2021, two major cryptocurrency thefts were pulled off with an estimated $200 million in losses for the decentralized platforms involved.
Crypto hacks have been occurring in 2021 at a record-breaking pace, with the average value exceeding $90 million, with a single hack in August this year almost costing Poly Network $600 million in losses before the hacker returned the funds in an effort to cover their tracks.
How was BXH exchange hacked?
Boy X Highspeed (BXH), a decentralized cross-chain exchange, first reported a theft via their Twitter account. According to CEO Neo Wang, the company suspects the attack was perpetrated by an employee. The hack is currently expected to exceed $139 million in various tokens.
Through either malicious means or an inside job, the thief likely used an administrator’s private key to access the exchange’s Binance Smart Chain address. Due to the attack occurring in China, where most of BXH’s technical staff operate, an inside job is the current running theory. However, it’s possible a hacker planted a virus on the BXH site that was clicked by an administrator, granting the thief access to a computer with private key privileges.
A case has been filed with China’s network security police, and a bounty of $1 million has been offered to any team that helps retrieve the funds. If the hacker is not found and/or funds are not returned, BXH has claimed it will accept full responsibility for the lost funds and provide a user repayment plan for those affected.
How the bZx exchange was phished
Seven days later on November 5th, another exchange, bZx, suffered a hack worth $55 million in assorted coins, also through a private key becoming compromised. bZx is a decentralized lending platform that was targeted three separate times in 2020, with the most recent one being the largest to date.
Similar to the BXH attack, a bZx private key was compromised, granting the hackers access to the protocol’s Binance Smart Chain, as well as their Polygon Chain.
Hackers were able to gain control of the private key by targeting one of their developers with a phishing attack, where a malicious actor sends suspicious emails or messages to steal private information such as passwords, mnemonic phrases, or private keys to steal digital assets anonymously.
When the developer opened the phishing email, a malicious macro entered the computer from an attached word document and ran a script on the device, eventually revealing the administrator’s private keys as well as their personal mnemonic wallet phrase. Roughly 25% of the stolen funds were from the developer’s personal wallet, according to bZx.
Thanks to the network being governed through a DAO and secured by a multi-party contract, their Ethereum contracts were unaffected by the hack.
Are Binance Smart Chain hacks common?
An Ethereum clone, the Binance Smart Chain (BSC) is an easy choice for retail investors who wish to access a large variety of decentralized apps. While BSC transactions are faster and cheaper than the Ethereum network, hacks on the network, including Uranium Finance, Meerkat Finance, and the two hacks noted above are becoming more and more common.
Low barriers to entry for protocols as well as investors who wish to enter the crypto space creates an easy target for hackers and scammers. Projects with tokenomics issues or security flaws can easily enter the blockchain, gather a large amount of capital from investors, only to find out too late their security features were not enough to prevent experienced hackers from stealing their funds.
Could the BXH and bZx hacks have been prevented?
The two recent hacks have one thing in common: a single key, that in the wrong hands, caused millions of dollars to disappear. Wallets with a single key are often compromised because they have a single point of failure.
Multisignature wallets require two or more independent signatures from anonymous providers to make any transaction and could have prevented many administrative failures. However, multisig wallets also have their own flaws, as this article explains, when compared with the enterprise-focused multi-party computation (MPC) technology. Multi-sig and MPC are very similar, offering users added security by involving more than one party. However, MPC is undoubtedly the superior option, with advantages such as being protocol-agnostic, offering key refreshes and the ability to modify quorums without the need to create a new address.
How CYBAVO can help
Many security companies, including CYBAVO, offer solutions for businesses to maintain security while still performing business account requirements, performing streamlined blockchain transactions in a secure way.
CYBAVO VAULT is a secure, reliable storage and wallet management system that integrates features such as on-premises key storage, multi-factor authentication (MFA) for user security, and tailor-made, bottom-up security to prevent single points of failure for customers or administrators.
What makes CYBAVO’s security stand out
Quality security features are no longer a luxury in the crypto space. While it’s easy to assume that large companies and exchanges have top-notch security, even well-known names like Coinbase are not safe from hacks or sensitive information leaks.
Thanks to having an expert security team, boasting a combined 100+ years of cybersecurity experience, CYBAVO has become an industry leader in the use of MPC technology to protect its customers from potential threats.
What is MPC?
Multi-party-computation (MPC) is a method of distributed computation across a variety of participants, with each party involved unaware of what information the others possess. By combining this cryptographic protocol with your wallet’s private key, your key is never fully constructed in one place, making it nearly impossible for hackers to gain access to your cryptocurrencies.
MPC can be used to improve the security in every feature of virtual asset management for both institutions and retail investors. Even assets in cold storage benefit from MPC protection, as coins still need to be placed on an exchange to be sold, and any security system with a single point of failure is vulnerable to a breach. CYBAVO, a founding member of the MPC Alliance, has embraced MPC technology to fight security threats by eliminating single points of failure to protect your digital assets and information from nefarious actors.