Class Action Alleges $55M bZx Crypto Hack Caused by ‘Simple Negligence’

New to ClassAction.org? Read our Newswire Disclaimer

The entities behind the bZx cryptocurrency protocol face a proposed class action lawsuit that alleges a hack in which $55 million in assets was stolen stemmed from the “simple negligence” of one developer who fell prey to a phishing scheme. 

The 23-page lawsuit alleges the following defendants are jointly responsible for “making good” to the 14 international plaintiffs, who allege they lost a combined total of $1.6 million alone in ETH, BZRX, OOKI and other tokens in the hack, and similarly situated bZx users whose accounts were allegedly drained during the November 5, 2021 incident: 

• bZx DAO;
• Kyle Kistner;
• Tom Bean;
• Hashed International LLC;
• Age Crypto LLC;
• Ooki DAO;
• Leveragebox LLC; and
• bZeroX LLC.

According to the lawsuit, the plaintiffs deposited their crypto assets with the decentralized finance (DeFi) bZx protocol under the belief that they and other users would not need to worry about “getting hacked or [anyone] stealing [their] funds.” The suit says, however, that bZx, a decentralized autonomous organization (DAO), lacked “reasonable safeguards” to protect users’ assets. 

Per the lawsuit, the hack, in which the U.S. dollar equivalent of $55 million was stolen, was not the result of “some complex scheme or unknown vulnerability in the code,” but rather bZx’s “simple negligence.” The case claims that by bZx’s own account, a developer fell for an email-based phishing scam that allowed hackers to access key passphrases, which then permitted them to drain users’ accounts. 

The filing says that although the bZx protocol has acknowledged its responsibility for the hack, it has rolled out a “woefully inadequate” compensation plan whereby users could receive, according to the case, “IOUs with no real hope of repayment.” The suit contends that the inherent setup of the bZx protocol as a DAO means the defendants themselves are responsible for recouping the plaintiffs’ and other users’ alleged losses. 

From the lawsuit: 

“Since the protocol has failed to pay back what was taken as a result of the protocol’s negligence, all of these Defendants are jointly and severally responsible for making good to the Plaintiffs. That is because the bZx protocol purports to be a so-called DAO, or de-centralized autonomous organization, that lacks any legal formalities or recognition. There is another phrase in American law for that kind of arrangement: general partnership. That means each of the partners is jointly and severally liable to the Plaintiffs and must make good on the full amount of its debts.” 

According to the lawsuit, cryptocurrency transactions are increasingly conducted through DeFi applications, which utilize emerging technology to remove third parties such as banking institutions from the transactions. Through DeFi protocols, such as bZx, users can engage in the lending or borrowing of cryptocurrencies without interacting with banks or other established, regulated intermediaries, the suit states. 

DeFi protocols, the case continues, are almost always governed as DAOs, which have no formal corporate structure, explicit liability protection or distinction between management or general and limited partners. Instead, holders of specific tokens, including the BZRX token, have governance rights that allow them to suggest actions the DAO will take, according to the complaint. 

The suit says that although bZx repeatedly touts its security features, in reality, a single password was sufficient for the hackers to access all of the client funds on two of the three blockchains on which the defendants’ “Fulcrum” margin lending and trading platform runs. 

“The problem, as the company reported it, was that—despite the protocol’s promises to the contrary—the protocol’s implementation on two of the three blockchains on which it operated was insecure. That is, the protocol was designed to work on the Ethereum blockchain, the Polygon blockchain, and the Binance Smart Chain blockchain, but only its operations on the Ethereum blockchain were secure.” 

According to the case, bZx previously suffered three hacks in 2020 with total losses of approximately $9 million, of which $8 million was apparently recovered. 

The lawsuit looks to represent all persons who delivered cryptocurrency tokens to the bZx protocol and had any amount of funds stolen in the theft reported on November 5, 2021, except for those whose only cryptocurrency stolen was the BZRX token. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.