QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
JULY 2021
GLOBAL
PERI FINANCE
DESCRIPTION OF EVENTS
"PERI Finance is a decentralized cross-chain synthetic issuance and derivative exchange protocol that provides unlimited liquidity on Polkadot network. It gives an opportunity to access a wide range of both traditional financial and crypto assets in the forms of leveraged and none-leveraged synthetic products. We empower you with lower GAS fee, speedy transaction, and ample security from front-running or flash loan."
"PERI Finance is a decentralized cross-chain synthetic issuance and derivative exchange protocol that provides unlimited liquidity on Polkadot network."
"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain." "The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC."
Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."
"PERI Finance dev team noticed that hacker attacked ChainSwap’s contracts and stole the token of more than 10 projects, including PERI Finance. As of right now, PERI Finance Dev team decided to block the hacker’s contract address in order to prevent additional transfers."
"The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."
"PERI Finance successfully blocked the hacker’s contract address and now you can transfer PERI on Ethereum Mainnet." "The Peri Finance project owner tweeted that due to the Chainwap breach, the team has withdrawn all liquidity from Uniswap and Pancakeswap, in order to prevent a hacker from selling his tokens and running out of liquidity."
"PERI Finance team immediately realized the hacking issue and the team working around the clock to ensure all our users and stakeholders not to involved in this incident. Our devoted team found that there was no damage done to any of our users and stakeholders. The team has rapidly requested the Ethereum network to block the hacker’s smart contract address in order to prevent the transaction that can cause the price drops."
"The attacker has stolen about 61,000 PERI from ChainSwap and sold 10,000 PERI on MEXC. PERI Finance bought the dumped PERI on MEXC which balanced out the market. The attacker still took control of nearly 51,000 $PERI on the Ethereum mainnet and tried to sell additional PERI on other CEX. However, our team urgently blocked the contract address and requested the Gateio and MEXC to close transfers to ensure additional damage. Those of 51,000 PERI are frozen and considered as burned in total supply circulations."
"Chainswap said it had already repurchased a small amount of the affected tokens from the market and returned the contract wallet. The rest will be paid out in full by the Chainswap vault." "ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects." "In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety."
"The Peri Finance project owner tweeted that due to the Chainwap breach, the team has withdrawn all liquidity from Uniswap and Pancakeswap, in order to prevent a hacker from selling his tokens and running out of liquidity."
"For now, Chainswap has temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."
“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.
"ChainSwap is excited to announce that we have successfully integrated with Anyswap and Chainswap bridge is now live. We thank our community for its patience during the last few weeks."
"PERI Finance will not integrate with ChainSwap anymore and to prevent the hacking issues from the hackers, PERI Finance dev team decided to deploy its own bridge systems for all networks. This development is now our top priority and we will announce the date of deployment as soon as detailed roadmap comes out."
"[S]tolen token will be replaced it through our newly deployed BSC bridge."
"While we were discussing about staking rewards distributes in coming week, we need to thoroughly consider an issue that PERI BEP20 holders cannot participate in the staking service due to ChainSwap’s hacking issue. Currently BSC bridge is suspended and they have no way to transfer their PERI to polygon network which at this moment, PERI Finance’s staking dApp only supports the polygon network. As such, we will commence a 1:1 swap for all PERI BEP20 holders to our PERI Matic ERC20."
"Our team is dedicated to understanding the core vulnerability of this attack and still will continue to investigate with ChainSwap directly."
"The Staking dApp is still alive and it is securely checked. We have audited by CertiK and established Bug Bounty Programs for users to find any defect. We take these types of situations very seriously, and are actively working to address all the issues to make safe environment."
"PERI trading continued on all DEXs and CEXs. We also newly listed on XT.com to open more trading opportunities for the users."
PERI Finance is a derivates protocol and liquidity provider. Their token used ChainSwap to exist on multiple blockchains, which required some funds to be stored in the smart contract hot wallet.
The ChainSwap bridge was hacked, and the attacker was able to obtain the tokens, some of which were sold. The platform froze the affected funds relatively quickly, preventing their further sale. PERI Finance plans to build their own bridge service to replace ChainSwap.
HOW COULD THIS HAVE BEEN PREVENTED?
Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited.
In this situation, there was luckily not much taken, and it looks like it has been reimbursed. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts). Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.
Chainswap Black Sunday, over 20 DEFI projects were stolen - 律动BlockBeats (Aug 24)
ChainSwap Exploit 11 July 2021 Post-Mortem | by ChainSwap | Medium (Aug 24)
MappableToken | 0x06c24002f43e3AF904EeEc581734EA3A7DbF355E (Aug 24)
ChainSwap Exploit Leads to Multi-Million Loss For DeFi Tokens - Decrypt (Aug 24)
@chain_swap Twitter (Aug 24)
Explained: The ChainSwap Hack (July 2021) - Halborn (Aug 24)
$8 Million Lost in Major ChainSwap Exploit | Crypto Briefing (Aug 24)
ChainSwap re-launch, we are live. ChainSwap is excited to announce that… | by ChainSwap | Medium (Aug 29)
Rekt - ChainSwap - REKT (Aug 29)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
LET'S PYNTHS (Sep 15)
Peri Finance Overview - BTA Ventures (Sep 17)
Important Notice Regarding Chainswap Hack (Sep 21)
Address 0xEda5066780dE29D00dfb54581A707ef6F52D8113 | Etherscan (Sep 21)
Notice Peri Token Swap For Bep20 Holders (Sep 21)
Peri Finance Dapp Claim Is Live Details And Claim Schedule (Sep 21)
Important Notice 2 Chainswap Hack (Sep 21)
Bi Weekly Report Peri Finance (Sep 21)
June Report Peri Finance (Sep 21)
@PERIfinance Twitter (Sep 21)
@PERIfinance Twitter (Sep 21)
@PERIfinance Twitter (Sep 21)
@PERIfinance Twitter (Sep 21)
@PERIfinance Twitter (Sep 21)
@PERIfinance Twitter (Sep 21)
Chainswap Post Mortem Deep Dive Into The Exploit (May 7)
Random Numbers Don’t Lie: A Closer Technical Look into Recent DeFi Hacks (May 7)
