EOS SX Vault Breach: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/eossxvaultbreach.php}} thumb|EOS SX VaultThe EOS SX Vault is one of the largest smart contracts on the EOS chain. A hacker was able to exploit this smart contract, and steal significant funds. The negotiation was to offer the attacker $100k to return the funds, which he refused. Rather than find a way to liquidate them and bring them off-chain, he split them into a lot of sma...")
 
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/eossxvaultbreach.php}}
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/eossxvaultbreach.php}}
{{Unattributed Sources}}


[[File:Sxvault.jpg|thumb|EOS SX Vault]]The EOS SX Vault is one of the largest smart contracts on the EOS chain. A hacker was able to exploit this smart contract, and steal significant funds.
[[File:Sxvault.jpg|thumb|EOS SX Vault]]The EOS SX Vault is one of the largest smart contracts on the EOS chain. A hacker was able to exploit this smart contract, and steal significant funds.
Line 9: Line 10:
Compromised funds were ultimately distributed back to affected users.
Compromised funds were ultimately distributed back to affected users.


This is a global/international case not involving a specific country.
This is a global/international case not involving a specific country.<ref name="cmichel-984" /><ref name="eosgo-985" /><ref name="eosnation-986" /><ref name="bloks-987" /><ref name="eosnation-988" /><ref name="reddit-989" /><ref name="stableexgithub-990" /><ref name="stableexgithub-991" /><ref name="threader-992" /><ref name="coinfyi-993" /><ref name="crypto-994" /><ref name="eosnation-995" /><ref name="eosgo-996" /><ref name="slowmist-997" /><ref name="goeostwitter-998" /><ref name="openblocksecgithub-2342" /><ref name="slowmisthacked-3935" />


== About EOS SX Vault ==
== About EOS SX Vault ==
Line 59: Line 60:


Don't Include:
Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
* Anything that wasn't reasonably knowable at the time of the event.
Line 80: Line 80:
!Description
!Description
|-
|-
|May 14th, 2021 12:00:00 AM
|May 14th, 2021
|First Event
|Main Event
|This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|-
|
|
|
|-
|-
|
|
Line 92: Line 88:
|
|
|}
|}
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?


== Total Amount Lost ==
== Total Amount Lost ==
The total amount lost is unknown.
The total amount lost has been estimated at $13,432,000 USD.


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Line 105: Line 104:


== Total Amount Recovered ==
== Total Amount Recovered ==
It is unknown how much was recovered.
There do not appear to have been any funds recovered in this case.


What funds were recovered? What funds were reimbursed for those affected users?
What funds were recovered? What funds were reimbursed for those affected users?
Line 111: Line 110:
== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
What parts of this case are still remaining to be concluded?
 
== General Prevention Policies ==
== Prevention Policies ==
In the end, it was a multi-signature agreement which returned the funds. This is similar to the recommendation to store funds in an offline multi-signature wallet.
In the end, it was a multi-signature agreement which returned the funds. This is similar to the recommendation to store funds in an offline multi-signature wallet.


Were the contract to simply have large fund withdrawals wait to be approved from an offline multi-signature wallet, this would act as a check to prevent large loss.
Were the contract to simply have large fund withdrawals wait to be approved from an offline multi-signature wallet, this would act as a check to prevent large loss.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:End}}
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
{{Prevention:Platforms:End}}
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}
{{Prevention:Regulators:End}}


== References ==
== References ==
[https://cmichel.io/eos-vault-sx-hack/ EOS Vault SX Hack] (May 19)
<references><ref name="cmichel-984">[https://cmichel.io/eos-vault-sx-hack/ EOS Vault SX Hack] (May 20, 2021)</ref>


[https://www.eosgo.io/news/history-was-made-sx-vault-hacked-stolen-funds-seized History Was Made - SX Vault Hacked - Stolen Funds Seized] (May 25)
<ref name="eosgo-985">[https://www.eosgo.io/news/history-was-made-sx-vault-hacked-stolen-funds-seized History Was Made - SX Vault Hacked - Stolen Funds Seized] (May 26, 2021)</ref>


[https://eosnation.io/safe/ Vaults.sx funds are safe​ | EOS Nation | EOS Block Producer] (May 25)
<ref name="eosnation-986">[https://eosnation.io/safe/ Vaults.sx funds are safe​ | EOS Nation | EOS Block Producer] (May 26, 2021)</ref>


[https://www.bloks.io/account/vaults.sx Vaults.SX Homepage] (May 25)
<ref name="bloks-987">[https://www.bloks.io/account/vaults.sx Vaults.SX Homepage] (May 26, 2021)</ref>


[https://eosnation.io/retrospective/ Vaults.sx Retrospective | EOS Nation | EOS Block Producer] (May 25)
<ref name="eosnation-988">[https://eosnation.io/retrospective/ Vaults.sx Retrospective | EOS Nation | EOS Block Producer] (May 26, 2021)</ref>


[https://www.reddit.com/r/eos/comments/ne4tbd/my_apology/ my apology : eos] (May 25)
<ref name="reddit-989">[https://www.reddit.com/r/eos/comments/ne4tbd/my_apology/ my apology : eos] (May 26, 2021)</ref>


[https://github.com/stableex/sx.vaults GitHub - stableex/sx.vaults: SX Vaults] (May 26)
<ref name="stableexgithub-990">[https://github.com/stableex/sx.vaults GitHub - stableex/sx.vaults: SX Vaults] (May 27, 2021)</ref>


[https://github.com/stableex SX · GitHub] (May 26)
<ref name="stableexgithub-991">[https://github.com/stableex SX · GitHub] (May 27, 2021)</ref>


[https://threader.app/thread/1394317885779189763 <nowiki>A Thread from @themoneyteamgh: "Why the http://Vaults.sx hack is the most Bullish thing that’s ever happened to #EOS and crypto. [...]"</nowiki>] (May 26)
<ref name="threader-992">[https://threader.app/thread/1394317885779189763 <nowiki>A Thread from @themoneyteamgh: "Why the http://Vaults.sx hack is the most Bullish thing that’s ever happened to #EOS and crypto. [...]"</nowiki>] (May 27, 2021)</ref>


[https://coin.fyi/news/eos/461-796-8968-usdt-were-stolen-making-this-the-biggest-hack-on-eos-ncl48i 461,796.8969 USDT Were Stolen, Making This The Biggest Hack On EOS] (May 26)
<ref name="coinfyi-993">[https://coin.fyi/news/eos/461-796-8968-usdt-were-stolen-making-this-the-biggest-hack-on-eos-ncl48i 461,796.8969 USDT Were Stolen, Making This The Biggest Hack On EOS] (May 27, 2021)</ref>


[https://crypto.writer.io/p/eosx-hack EOSX Hack] (May 26)
<ref name="crypto-994">[https://crypto.writer.io/p/eosx-hack EOSX Hack] (May 27, 2021)</ref>


[https://eos.eosq.eosnation.io/tx/142da8cca280a0fca8828e531fa63fc332bd359850044abfa24a53f3bb88035f eosq: High-Precision Block Explorer] (May 26)
<ref name="eosnation-995">[https://eos.eosq.eosnation.io/tx/142da8cca280a0fca8828e531fa63fc332bd359850044abfa24a53f3bb88035f eosq: High-Precision Block Explorer] (May 27, 2021)</ref>


[https://www.eosgo.io/news/vaultsx-hack-lessnos-learned-and-thoughts VaultSX Hack Lessons Learned and Thoughts] (May 26)
<ref name="eosgo-996">[https://www.eosgo.io/news/vaultsx-hack-lessnos-learned-and-thoughts VaultSX Hack Lessons Learned and Thoughts] (May 27, 2021)</ref>


[https://www.slowmist.com/en/security-audit-certificate.html?id=fe2593e1000c35d64787c00392c63e858dcad1608bec8bf6a69822e75cf3ffe7 Smart Contract Security Audit Service Introduction, Exchange Security Solution - SlowMist - Focusing on Blockchain Ecosystem Security] (May 26)
<ref name="slowmist-997">[https://www.slowmist.com/en/security-audit-certificate.html?id=fe2593e1000c35d64787c00392c63e858dcad1608bec8bf6a69822e75cf3ffe7 Smart Contract Security Audit Service Introduction, Exchange Security Solution - SlowMist - Focusing on Blockchain Ecosystem Security] (May 27, 2021)</ref>


[https://twitter.com/go_eos/status/1394203732867526661 @go_eos Twitter] (May 26)
<ref name="goeostwitter-998">[https://twitter.com/go_eos/status/1394203732867526661 @go_eos Twitter] (May 27, 2021)</ref>


[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 10)
<ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref>


[https://hacked.slowmist.io/en/?c=EOS SlowMist Hacked - SlowMist Zone] (Nov 7)
<ref name="slowmisthacked-3935">[https://hacked.slowmist.io/en/?c=EOS SlowMist Hacked - SlowMist Zone] (Nov 8, 2021)</ref></references>

Latest revision as of 17:50, 2 May 2023

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

EOS SX Vault

The EOS SX Vault is one of the largest smart contracts on the EOS chain. A hacker was able to exploit this smart contract, and steal significant funds.

The negotiation was to offer the attacker $100k to return the funds, which he refused. Rather than find a way to liquidate them and bring them off-chain, he split them into a lot of smaller accounts.

However, EOS as a chain contains a mechanism that allows funds to be seized by a community consensus. This was undertaken through a vote of the block producers, where they agreed to revert the damage, and take back the funds from the hacker to be distributed.

Compromised funds were ultimately distributed back to affected users.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About EOS SX Vault

"Vaults.sx is a yield aggregator where users can deposit EOS or USDT in return for interest-bearing SXEOS/SXUSDT tokens. The deposited tokens are then available in the flash.sx contract for flashloans and aggregate fees. Finally, SX tokens can be redeemed for a pro-rata share of the underlying funds + aggregated fees again."

"SX aims to build secure & reliable financial blockchain protocols for EOSIO blockchains." "SX Vaults follow interest yielding strategies that are designed to maximize the yield of the deposited asset and minimize risk."

"The vaults.sx and flash.sx smart contracts were open-source, MSIGed, and passed security audits, however the re-entry exploit was not identified."

"On May 14th, approximately 1.2M EOS and 462k USDT were stolen via a re-entry attack exploit from the smart contract of flash.sx, the flash loan service of SX Vault." "Approximately 1.2M EOS and 462,000 USDT was stolen in a re-entry attack exploit on the flash.sx flash loan smart contract that began on May 14 at 11:28 UTC."

"The vaults.sx contract on EOS mainnet has been exploited through a re-entrancy attack. 1,180,142.5653 EOS (~13M USD) and 461,796.8968 USDT were stolen making this the biggest hack on EOS."

"After a few hours, around 2:00 UTC, the Block Producers reached consensus, and through a Multi-Signature transaction they were able to change the owner and active permissions of all accounts created by the hacker in favor of the eosio.prods account."

"In this way they were able to regain control of all funds, which will soon be returned to depositors, without the need for a Hard Fork and creating a precedent to protect the intent of the smart contract also in favor of users."

"All of the funds are safe under control of eosio.prods and will be returned to depositors."

"Please let this letter serve as my resignation as CEO of EOS Nation effective immediately. I no longer feel as though I can do the best possible job for EOS Nation and the EOS public network and must resign my position." "Sincerely Yours, Yves La Rose"

On May 16 at "22:49 the thief publicly apologises and consents to nulling of keys." "Sorry for this incident, due to the lack of good communication, it caused unnecessary harm, I agree to bps to change my key , I ask for their forgiveness for those who have been hurt this time."

On May 17 at "10:32 executed 6/10 MSIG to remove the authority of the flash loan contract so that funds can be safely returned to flash.sx."

"To our knowledge, there has never been a prior circumstance in EOS where funds have been stolen due to an exploit of a smart contract that has been open-sourced, audited, and MSIGed. With the funds distributed across 246 accounts containing roughly 5000 EOS each, the funds were at risk of exiting the network via no-KYC exchanges at any moment."

"Failing to protect property rights in this instance could have had drastic consequences and result in a loss of faith in DeFi on EOS. As was the case with the Bitcoin rollback, the Ethereum DAO hack, and the HIVE fork, history has shown that the chain that protects property rights is the one that survives."

"With the consent of the account owner, we propose the block producers sign the MSIG to transfer all of the recovered funds back to the originating flash.sx account, under the authority of the current 6/10 custodians."

"Upon the retrieval of the funds, two historical snapshots will be published to easily identify SXEOS & SXUSDT token holders prior & after the event. Token holders with no change in their balance will be granted the posted value rate, token holders which have sold, withdrawn or moved their tokens will be reviewed on a case by case basis."

"Failing to protect property rights in this instance could have had drastic consequences and result in a loss of faith in DeFi on EOS. As was the case with the Bitcoin rollback, the Ethereum DAO hack, and the HIVE fork, history has shown that the chain that protects property rights is the one that survives."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - EOS SX Vault Breach
Date Event Description
May 14th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $13,432,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

In the end, it was a multi-signature agreement which returned the funds. This is similar to the recommendation to store funds in an offline multi-signature wallet.

Were the contract to simply have large fund withdrawals wait to be approved from an offline multi-signature wallet, this would act as a check to prevent large loss.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References