The latest update in the $130 million Defi hack of the BXH protocol unveiled that the exploit took place due to a modification in the network’s administrative privileges, which led the attackers to use this privilege to transfer project assets. According to the Chinese Journalist, Colin Wu, BXH protocol irresponsibly consigned the authority of fund management to the attackers which further led to the most convenient hack in recent history. This has triggered the nickname “stupid kid” in the Chinese community for the protocol since BXH has the same initials for “BenXiaoHai”, which translates to the trending nickname.
“according to the analysis of the blockchain security agency SlowMist Technology, the hacker deployed the attack contract 0x8877 at 13 o’clock on the 27th (UTC), then at 8 o’clock on the 29th (UTC) the BXH project management wallet address 0x5614 gave the attack contract 0x8877 administrative privileges via grantRole. At 3 o’clock on the 30th (UTC), the attacker transferred his managed assets from the BXH strategy pool fund library through the authority of the attack contract 0x8877.”, Wu noted.
Furthermore, market speculations also highlighted the aspect of a potential insider job, given the recently revealed series of misconducts by the founder. Wang Xiaobin, BXH founder’s misconduct during his initial days in the Internet industry include, “product delay without delivery, company bankruptcy, and restriction on consumption due to salary arrears”. However, in reference to the BXH hack, Wang Xiaobin has denied any relation to past events, arguing that the exploit is merely one private key. Additionally, he has announced a $1 million bounty program, seeking white hats to help the protocol in recovering the stolen funds.
BXH hack history
CoinGape covered the BXH hack over the weekend, revealing the series of exploit events. Past Saturday, the official Twitter handle of the BXH protocol alerted its users about the attack. They further noted that the attack was limited to BSC, and assets on Ethereum, OEC, and HECO remained secure. Along with releasing hacker addresses to suggest centralized exchanges and DEX platforms to further freeze these accounts, the Defi protocol also appealed to the attackers to return the funds and offered a bounty as well.