bZx (Ooki/bZx) Incident Report — November 5, 2021
What Happened
On November 5, 2021 at 8:45 AM EST, bZx's team notified Tidal Finance of a security incident involving compromised private keys. The attacker gained unauthorized access to private keys controlling deployments on Polygon and Binance Smart Chain through a phishing attack.
Technical Root Cause
Investigation finding:
> "After the initial analysis of the attack transactions, we suspect it's due to the compromised private key of the developer."
The incident resulted from a phishing attack that successfully obtained developer credentials.
Impact Scope
• Ethereum mainnet: No impact to bZx protocol
• Polygon & BSC: Private keys controlling deployments were compromised, $55M drained
• Protocol integrity: The bZx protocol itself was not hacked; the version running on Ethereum remained secure
Coverage Determination
Tidal Finance concluded the incident fell outside insurance coverage because "Phishing and private key security breaches are not payable claims" under the existing policy exclusions.
Key Clarifications
• The active $1,000,000 smart contract hack coverage remained unaffected
• The bZx team demonstrated transparency throughout the investigation process
• Security auditors Halborn and BlockSec provided rapid analysis within hours of notification