$98 000 USD

JULY 2021

GLOBAL

OROPOCKET

DESCRIPTION OF EVENTS

"Do not put all your eggs in one basket. Diversify your portfolio by investing in multiple assets on OroPocket." "OroPocket Gold & Silver are the first real world assets on Tezos chain. The high throughput and low fees, with strong on-chain governance enable us to adopt blockchain in an effective manner for micro-transactions, auditing and ownership." "Enjoy complete liquidity with OroPocket card. Spend your assets anytime, and anywhere all across the world. Shop online, offline or withdraw cash at the ATM."

 

"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain." "The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC."

 

Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."

 

"The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."

 

"On Saturday (July 11, 2021), hackers took advantage of a vulnerability in the exchange’s smart contract code and stole the tokens of nearly a dozen projects, including Unifarm, Oropocket, Umbrella Network, Dafi, Razor, Antimatter and many others."

 

"Our contracts and tokens, except a few (1458053.939076000000008192 ORO and 18006434.862154000000012288 UFARM tokens on Ethereum chain), are unaffected and continue to be secure."

 

"Chainswap said it had already repurchased a small amount of the affected tokens from the market and returned the contract wallet. The rest will be paid out in full by the Chainswap vault." "ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects." "In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety."

 

"A recent hack at Chainswap has led to a significant impact on several projects partnered with the platform to swap tokens between Ethereum and Binance Smart Chain. The hackers exploited a potential loophole in the platform’s smart contract protocol, stealing crypto-assets valued at over $8,000,000. This is the second security breach that Chainswap has fallen victim to within a month."

 

"For now, Chainswap has temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."

 

“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.

 

"Keeping our promise of reliability and steadfastness, we have burnt the compromised $ORO tokens in the hackers’ wallet."

 

"ChainSwap is excited to announce that we have successfully integrated with Anyswap and Chainswap bridge is now live. We thank our community for its patience during the last few weeks."

 

"To enhance the safety of crypto-assets and tokens, we have been working on our assets bridge to swap tokens between Ethereum and BSC, which will be extensively tested and audited to ensure a hassle-free experience. Once the bridge is launched, we will not be dependent on Chainswap for token swapping."

OroPocket is a service which enables tokens backed by real gold and silver. Their token used ChainSwap to exist on multiple blockchains, which required some funds to be stored in the smart contract hot wallet.

 

The ChainSwap bridge was hacked, and the attacker was able to obtain some tokens. The OroPocket project blocked the hacker from moving the funds, and ultimately launched a new contract for affected users to swap out for new tokens.

HOW COULD THIS HAVE BEEN PREVENTED?

Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited.

 

In this situation, it looks like it will be ultimately reimbursed. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts). Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.