$530 000 USD

JULY 2021

GLOBAL

RAI FINANCE

DESCRIPTION OF EVENTS

"RAI Finance aims to become the epicenter of Web3.0 world. Based on Polkadot technology and ecosystem, RAI Finance is going to create a new decentralized finance(DeFi) service, realizing a polymerized connection of multipul areas like creation of blockchain assets, cross-chain trading and social function." "The fastest way to swap-and-go your multi-chain assets."

 

"RAI Finance supports the issuance and trading of tokenized securities, NFTs, and various decentralized assets. It is a project that aims to secure cross-chain compatibility, high scalability, and low fees through integration into the Polkadot network. RAI Finance’s main partners include League of Traders, Wizpace, the founders of DEXEOS, and STP Network, a smart contract asset tokenization platform. RAI Finance is receiving worldwide attention recently by attracting successive strategic investments from VCs such as Alphabit and NGC."

 

"We are pleased to announce the recent achievement of RAI Finance’s remarkable milestone, and we will keep expanding our ecosystem to support more future applications. Firstly, RAI Finance’s v0 product will be released online soon. Secondly, RAI tokens have been launched on the Binance Smart Chain. Initially, The v0 product will be running on the BSC." Use "the Chainswap cross-chain bridge to swap RAI token between Ethereum Network and Binance Smart Chain."

 

"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain." "The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC."

 

Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."

 

"It was confirmed that @chain_swap is under a huge attack. 707133 $RAI have been exploited and deposited to the hacker’s Huobi wallet." "On July 10th, our team acknowledged that 707,133 RAI are exploited from the Chainswap wallet and deposited to Hacker’s Huobi Global Wallet. Due to the late-night hour in the Chainswap team’s time zone, the exchange team could not react to this attack."

 

"The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."

 

"Please bear with the temporary fluctuation of RAI price on the trading platform, we are in constant contact with the Chainswap team and monitoring the situation," the project's owner tweeted. "Please endure the volatility of RAI token price within a short period of time on listed exchanges. We advise the community not to panic because the amount is not huge compared to RAI Finance's current market cap. We will constantly monitor this issue and try to maintain the token price." "We are constantly in touch with #Chainswap team and monitoring the situation."

 

"For now, Chainswap has temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."

 

“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.

 

"ChainSwap is excited to announce that we have successfully integrated with Anyswap and Chainswap bridge is now live. We thank our community for its patience during the last few weeks."

 

Rai Finance reports they are "seriously taking this issue and will do [their] best to protect the interest of [their] community. Since this has been the second attack on Chainswap, and this is also a smart contract security issue of Chainswap, [they] will replace the cross-chain bridge partner."

Rai Finance is a service for issuing and trading tokenized securities, NFTs, and various decentralized assets. Their token used ChainSwap to exist on multiple blockchains, which required some funds to be stored in the smart contract hot wallet.

 

The ChainSwap bridge was hacked, and the attacker was able to obtain the tokens, which were sold right away on Huobi. Rai Finance has now stopped using ChainSwap and will develop their own bridge.

HOW COULD THIS HAVE BEEN PREVENTED?

Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited.

 

In this situation, there was luckily not much taken. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts). Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.