QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$27 000 000 USD
NOVEMBER 2020
GLOBAL
AXION STAKING
DESCRIPTION OF EVENTS
"Axion marketed itself as an investment vehicle through which users could stake currency for a set period of time in exchange for high-yield returns. The “time-lock” nature of the investment meant users would be unable to access funds while staking." "Axion represents a new breed of cryptocurrency. It’s not a utility token or an attempt at replacing fiat currencies. It’s an investment vehicle that’s aimed at one of the biggest untapped markets left in the crypto-world: mainstream income investors." "It aims to lure both crypto-investing veterans and traditional investors with a stable and reliable return rate that’s unheard of in all but the riskiest markets. It’s because Axion isn’t just a cryptocurrency. It’s a time-locked investment system that’s purpose-built to generate a stable inflationary curve and to fight volatility to protect investors’ principal and deliver a high ROI."
"Axion is an ethical, community-driven cryptocurrency that rewards long-term investing with high-yield interest rates and weekly dividends." "Axion is a new cryptocurrency that’s aimed at investors who would like a crypto-powered investment vehicle that offers stable returns with less risk of precipitous losses. Axion does this by basing its prices on inflation – at an astounding 8% yearly inflation distributed to staked amounts, and by flipping the traditional cryptocurrency model on its head. That’s because it operates by paying rewards to holders of the currency that agree not to sell it for a defined period, rather than paying rewards to miners as traditional cryptocurrencies do."
"Rock’n’Block insisted on all sorts of third-party audits. As a result, two thorough code reviews were conducted by established security companies, Hacken and Certik, who detected no critical errors that could have affected the project. Besides, the source code of Axion contracts was open access because the project is open source."
"On the 2nd of November 2020 at approximately 11:00 AM +UTC a hacker managed to mint around ~80 billion AXN tokens by utilizing the unstake function of the Axion Staking contract." "[O]ver 80 billion AXN tokens were unexpectedly minted and sold, netting the attacker more than 1,300 ETH worth over $500,000 at the time of writing." "The price of AXN immediately collapsed 100% from $0.00034079 to $0, according to CoinGecko."
"The Axion team stated that this was due to an exploit in the code, which was allegedly audited by five separate auditors before the project’s mainnet, according to the Axion website." "Despite claims that five different auditors cleared the code, an alleged exploit just sunk the price by 100%." "CertiK, a blockchain auditing outfit, has commented on yesterday’s Axion hack, revealing that the attacker exploited the project’s third-party dependencies. The auditors added that someone within the project likely carried out the attack."
"Actors involved in the Axion project injected malicious code prior to Axion’s deployment by altering its OpenZeppelin dependencies. The injected code allowed the attacker to freely mint 80 billion AXN tokens."
"To prepare for the attack, the hacker circulated 2.1 ETH on Tornado.cash for privacy. The attacker also purchased 700,000 HEX2T tokens as part of a “smokescreen,” CertiK says."
"Though the attack was sizable in terms of its dollar value, it is notable primarily because the hacker followed an unusual line of attack. It remains to be seen if hackers can imitate this line attack and carry it out against other blockchain projects."
"As you may have heard, RocknBlock was the development team hired by The Axion Foundation to build and deploy our new currency. Axion had three technical audits and two economic audits. The Axion Foundation, development team, and audit firms confirmed the code security and felt confident in the launch."
"At the moment, it is obvious that one of the engineers consciously substituted the code (which was tested and audited) for his own code containing the vulnerability. A few hours after the deployments, the suspect verified the code on etherscan, thus proving malicious intent - only with source code with a vulnerability can the contract be verified." "Then he took advantage of the vulnerability and withdrew the funds."
"For the mainnet launch, RocknBlock gave the deployment permission to one of their subcontractors. The Axion Foundation was not aware of this. This subcontractor, named Ilya Maximovich Solovyanov, injected malicious code into the clean and audited code. He then used an exploit to mint and sell 76 Billion tokens, thus draining the Axion uniswap liquidity pool."
"While this event has put a major speed bump on our path, Axion will relaunch stronger andmore resilient than ever. Everyone involved will be treated fairly. Everyone involved will be fairly compensated to the best of our abilities." "This was not a scam by Axion Foundation, and it was likely not one by RocknBlock, either. This was a single bad actor named Ilya Maximovich Solovyanov." "The RnB company has been working with him since February 2020. At the moment he is refusing to cooperate and has deleted his messages and social profiles." "The team is working closely with the local law enforcement to recover the funds this hacker and his group have already stolen."
"We will relaunch Axion and everyone who was holding or staking AXN/HEX2T will be able to claim at a 1:1 ratio." "We plan to relaunch as soon as feasibly possible and contact publications to share the full story. The audited code is sound. We simply need to figure out the best course to compensate those who staked, and build the pre-incident snapshot. This should not take long. We will have estimated timelines within the next 24 hours. If building it will take too long, we will do a manual process." "Everyone will be compensated as fairly and fully as possible. We’re still here and more resilient than ever. One man can not take us down, this community is strong. We will persist and grow stronger than ever."
One developer modified the software, and later used an exploit they had introduced to remove funds.
The exploit was not caught despite multiple auditors reviewing the code. The developer was dumb enough to exploit it immediately and had no concrete escape plan.
HOW COULD THIS HAVE BEEN PREVENTED?
This is another example which demonstrates just how challenging detecting problems in a smart contract is.
Decentralized finance is a brand new area, and smart contracts are effectively hot wallets. They are not, in any way guaranteed in their security, even if audited.
The proper storage of funds should be in a multi-signature wallet with offline storage.
DeFi Project Akropolis Just Lost $2 Million. Here's What They're Doing About It. | Crypto Briefing (May 16)
Axion Network Incident - HackMD (May 16)
Axion's Launch is Going to Make Crypto-Believers out of Mainstream Investors – Sponsored Bitcoin News (May 22)
Meet Axion - Your Cryptocurrency Key to a Long-Term Income Stream | Tech Loot (May 22)
Axion Attack Was an Inside Job, CertiK Says | Crypto Briefing (May 22)
HEX Airdrop Token Collapses 100% on Delivery | Crypto Briefing (May 22)
Axion Network (May 22)
@axion_network Twitter (May 22)
@axion_network Twitter (May 22)
@axion_network Twitter (May 22)
@axion_network Twitter (May 22)
Next Steps for Axion (1).pdf | DocDroid (May 22)
Press Release_RNB.pdf - Google Drive (May 22)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20)
SlowMist Hacked - SlowMist Zone (May 18)
