Zerogoki Price Oracle Compromised: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/zerogokipriceoraclecompromised.php}} thumb|ZerogokiThe Zerogoki project is an experimental leveraged token trading platform. An attacker was able to somehow craft a compromised price oracle, which according to analysis shows that it was signed by valid keys. It is unclear how the attacker was able to sign a valid transaction. The most likely scenario would be that all keys we...")
 
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/zerogokipriceoraclecompromised.php}}
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/zerogokipriceoraclecompromised.php}}
{{Unattributed Sources}}


[[File:Zerogoki.jpg|thumb|Zerogoki]]The Zerogoki project is an experimental leveraged token trading platform. An attacker was able to somehow craft a compromised price oracle, which according to analysis shows that it was signed by valid keys. It is unclear how the attacker was able to sign a valid transaction. The most likely scenario would be that all keys were stored in a central place.
[[File:Zerogoki.jpg|thumb|Zerogoki]]The Zerogoki project is an experimental leveraged token trading platform. An attacker was able to somehow craft a compromised price oracle, which according to analysis shows that it was signed by valid keys. It is unclear how the attacker was able to sign a valid transaction. The most likely scenario would be that all keys were stored in a central place.
Line 5: Line 6:
The team tried to reach out to the attacker, however there does not appear to have been any response. There were no losses of any assets - only a drop in price due to the minting of additional tokens. This was corrected by the team through a series of token buy-backs.
The team tried to reach out to the attacker, however there does not appear to have been any response. There were no losses of any assets - only a drop in price due to the minting of additional tokens. This was corrected by the team through a series of token buy-backs.


This is a global/international case not involving a specific country.
This is a global/international case not involving a specific country.<ref name="openblocksecgithub-2342" /><ref name="zerogoki-3461" /><ref name="notion-3462" /><ref name="blocksecteammedium-3463" /><ref name="unknown-3464" /><ref name="etherscan-3465" /><ref name="etherscan-3466" /><ref name="etherscan-3467" /><ref name="etherscan-3468" /><ref name="etherscan-3469" /><ref name="zerogokimedium-3470" /><ref name="sinjicarusmedium-3471" /><ref name="0zerogokitwitter-3472" /><ref name="etherscan-3473" /><ref name="youtube-3474" /><ref name="0zerogokitwitter-3475" /><ref name="bachonchaintwitter-3476" /><ref name="bachonchaintwitter-3477" /><ref name="bachonchaintwitter-3478" /><ref name="0zerogokitwitter-3479" /><ref name="zerogokimedium-3480" /><ref name="bachonchaintwitter-3481" /><ref name="bachonchaintwitter-3482" /><ref name="0zerogokitwitter-3483" /><ref name="bachonchaintwitter-3484" /><ref name="0zerogokitwitter-3485" /><ref name="0zerogokitwitter-3486" /><ref name="bachonchaintwitter-3487" /><ref name="bachonchaintwitter-3488" /><ref name="bachonchaintwitter-3489" /><ref name="bachonchaintwitter-3490" /><ref name="bachonchaintwitter-3491" /><ref name="0zerogokitwitter-3492" /><ref name="zerogokimedium-3493" /><ref name="bachonchaintwitter-3494" /><ref name="bachonchaintwitter-3495" /><ref name="bachonchaintwitter-3496" />


== About Zerogoki ==
== About Zerogoki ==
Line 103: Line 104:
!Description
!Description
|-
|-
|August 8th, 2021 12:00:00 AM
|August 8th, 2021
|Main Event
|Main Event
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
Line 111: Line 112:
|
|
|}
|}
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?


== Total Amount Lost ==
== Total Amount Lost ==
Line 130: Line 134:
== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:End}}
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
{{Prevention:Platforms:End}}
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}


== Prevention Policies ==
{{Prevention:Regulators:End}}
Which policies could have prevented this event from happening?


== References ==
== References ==
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 10)
<references><ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref>


[https://zerogoki.org/ Zerogoki] (Sep 14)
<ref name="zerogoki-3461">[https://zerogoki.org/ Zerogoki] (Sep 15, 2021)</ref>


[https://www.notion.so/Zerogoki-Algorithm-Pegged-Leveraged-Token-Minting-and-Trading-Protocol-4ffc7f30adbe45e9a5907df3f8c6b793 Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Sep 25)
<ref name="notion-3462">[https://www.notion.so/Zerogoki-Algorithm-Pegged-Leveraged-Token-Minting-and-Trading-Protocol-4ffc7f30adbe45e9a5907df3f8c6b793 Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.] (Sep 26, 2021)</ref>


[https://blocksecteam.medium.com/the-analysis-of-the-zerogoki-attack-da4e0807b184 The Analysis Of The Zerogoki Attack] (Sep 25)
<ref name="blocksecteammedium-3463">[https://blocksecteam.medium.com/the-analysis-of-the-zerogoki-attack-da4e0807b184 The Analysis Of The Zerogoki Attack] (Sep 26, 2021)</ref>


[https://certik-public-assets.s3.amazonaws.com/REP-Duet_Zerogoki-2021-08-20.pdf https://certik-public-assets.s3.amazonaws.com/REP-Duet_Zerogoki-2021-08-20.pdf] (Sep 25)
<ref name="unknown-3464">[https://certik-public-assets.s3.amazonaws.com/REP-Duet_Zerogoki-2021-08-20.pdf CertiK Security Assessment Duet/Zerogoki] (Sep 26, 2021)</ref>


[https://etherscan.io/address/0x80ecdb90a1231cb1964546860b22238664035757 God | 0x80ecdb90a1231cb1964546860b22238664035757] (Sep 25)
<ref name="etherscan-3465">[https://etherscan.io/address/0x80ecdb90a1231cb1964546860b22238664035757 God | 0x80ecdb90a1231cb1964546860b22238664035757] (Sep 26, 2021)</ref>


[https://etherscan.io/address/0x0d93A21b4A971dF713CfC057e43F5D230E76261C Address 0x0d93A21b4A971dF713CfC057e43F5D230E76261C | Etherscan] (Sep 25)
<ref name="etherscan-3466">[https://etherscan.io/address/0x0d93A21b4A971dF713CfC057e43F5D230E76261C Address 0x0d93A21b4A971dF713CfC057e43F5D230E76261C | Etherscan] (Sep 26, 2021)</ref>


[https://etherscan.io/address/0x3054e19707447800f0666ba274a249fc9a67aa4a Address 0x3054e19707447800f0666ba274a249fc9a67aa4a | Etherscan] (Sep 25)
<ref name="etherscan-3467">[https://etherscan.io/address/0x3054e19707447800f0666ba274a249fc9a67aa4a Address 0x3054e19707447800f0666ba274a249fc9a67aa4a | Etherscan] (Sep 26, 2021)</ref>


[https://etherscan.io/address/0x4448993f493b1d8d9ed51f22f1d30b9b4377dfd2 Address 0x4448993f493b1d8d9ed51f22f1d30b9b4377dfd2 | Etherscan] (Sep 25)
<ref name="etherscan-3468">[https://etherscan.io/address/0x4448993f493b1d8d9ed51f22f1d30b9b4377dfd2 Address 0x4448993f493b1d8d9ed51f22f1d30b9b4377dfd2 | Etherscan] (Sep 26, 2021)</ref>


[https://etherscan.io/tx/0x81e5f7158b7ef59f45864e34375bd52bb8227f51ef970fe07ec2abf1d421acf8 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Sep 25)
<ref name="etherscan-3469">[https://etherscan.io/tx/0x81e5f7158b7ef59f45864e34375bd52bb8227f51ef970fe07ec2abf1d421acf8 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Sep 26, 2021)</ref>


[https://zerogoki.medium.com/zerogoki-global-youtubevideo-contest-6fb15d1a150d Zerogoki Global Youtubevideo Contest] (Sep 25)
<ref name="zerogokimedium-3470">[https://zerogoki.medium.com/zerogoki-global-youtubevideo-contest-6fb15d1a150d Zerogoki Global Youtubevideo Contest] (Sep 26, 2021)</ref>


[https://medium.com/@sinjicarus/why-i-like-zerogoki-protocol-9223889fde32 https://medium.com/@sinjicarus/why-i-like-zerogoki-protocol-9223889fde32] (Sep 25)
<ref name="sinjicarusmedium-3471">[https://medium.com/@sinjicarus/why-i-like-zerogoki-protocol-9223889fde32 Why i Like Zerogoki Protocol. I didn’t ask to get into DeFi. Most of… | by Sinjicarus | Medium] (Sep 26, 2021)</ref>


[https://twitter.com/0Zerogoki/status/1433322447256711176 @0Zerogoki Twitter] (Sep 25)
<ref name="0zerogokitwitter-3472">[https://twitter.com/0Zerogoki/status/1433322447256711176 @0Zerogoki Twitter] (Sep 26, 2021)</ref>


[https://etherscan.io/tx/0xe98f92fef4f4d37419f2e11f5477975f94b22f73798848c4cd369ee8aac0b94b Ethereum Transaction Hash (Txhash) Details | Etherscan] (Sep 25)
<ref name="etherscan-3473">[https://etherscan.io/tx/0xe98f92fef4f4d37419f2e11f5477975f94b22f73798848c4cd369ee8aac0b94b Ethereum Transaction Hash (Txhash) Details | Etherscan] (Sep 26, 2021)</ref>


[https://www.youtube.com/watch?v=dvgFQnp4Swk Welcome to Zerogoki - YouTube] (Sep 25)
<ref name="youtube-3474">[https://www.youtube.com/watch?v=dvgFQnp4Swk Welcome to Zerogoki - YouTube] (Sep 26, 2021)</ref>


[https://twitter.com/0Zerogoki/status/1431225132719099904 @0Zerogoki Twitter] (Sep 25)
<ref name="0zerogokitwitter-3475">[https://twitter.com/0Zerogoki/status/1431225132719099904 @0Zerogoki Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1427468704535646214 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3476">[https://twitter.com/bachonchain/status/1427468704535646214 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1427515296462426112 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3477">[https://twitter.com/bachonchain/status/1427515296462426112 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1426848707526348800 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3478">[https://twitter.com/bachonchain/status/1426848707526348800 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/0Zerogoki/status/1426424568185556993 @0Zerogoki Twitter] (Sep 25)
<ref name="0zerogokitwitter-3479">[https://twitter.com/0Zerogoki/status/1426424568185556993 @0Zerogoki Twitter] (Sep 26, 2021)</ref>


[https://zerogoki.medium.com/zerogoki-progress-and-future-roadmap-including-duet-launch-updates-69a48f6ad828 Zerogoki Progress And Future Roadmap Including Duet Launch Updates] (Sep 25)
<ref name="zerogokimedium-3480">[https://zerogoki.medium.com/zerogoki-progress-and-future-roadmap-including-duet-launch-updates-69a48f6ad828 Zerogoki Progress And Future Roadmap Including Duet Launch Updates] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1426090323948630024 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3481">[https://twitter.com/bachonchain/status/1426090323948630024 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1425492927590014976 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3482">[https://twitter.com/bachonchain/status/1425492927590014976 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/0Zerogoki/status/1424748904684265472 @0Zerogoki Twitter] (Sep 25)
<ref name="0zerogokitwitter-3483">[https://twitter.com/0Zerogoki/status/1424748904684265472 @0Zerogoki Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424746737474752521 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3484">[https://twitter.com/bachonchain/status/1424746737474752521 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/0Zerogoki/status/1424570289942274050 @0Zerogoki Twitter] (Sep 25)
<ref name="0zerogokitwitter-3485">[https://twitter.com/0Zerogoki/status/1424570289942274050 @0Zerogoki Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/0Zerogoki/status/1424548585807310857 @0Zerogoki Twitter] (Sep 25)
<ref name="0zerogokitwitter-3486">[https://twitter.com/0Zerogoki/status/1424548585807310857 @0Zerogoki Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424386351793799175 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3487">[https://twitter.com/bachonchain/status/1424386351793799175 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424401074203418627 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3488">[https://twitter.com/bachonchain/status/1424401074203418627 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424401072706052098 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3489">[https://twitter.com/bachonchain/status/1424401072706052098 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424353171380391944 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3490">[https://twitter.com/bachonchain/status/1424353171380391944 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424354472503824386 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3491">[https://twitter.com/bachonchain/status/1424354472503824386 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/0Zerogoki/status/1424314403848028162 @0Zerogoki Twitter] (Sep 25)
<ref name="0zerogokitwitter-3492">[https://twitter.com/0Zerogoki/status/1424314403848028162 @0Zerogoki Twitter] (Sep 26, 2021)</ref>


[https://zerogoki.medium.com/temporarily-suspension-of-mint-redeem-function-3c9f5150f449 Temporarily Suspension Of Mint Redeem Function] (Sep 25)
<ref name="zerogokimedium-3493">[https://zerogoki.medium.com/temporarily-suspension-of-mint-redeem-function-3c9f5150f449 Temporarily Suspension Of Mint Redeem Function] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424270321851408389 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3494">[https://twitter.com/bachonchain/status/1424270321851408389 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424265471050674183 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3495">[https://twitter.com/bachonchain/status/1424265471050674183 @bachonchain Twitter] (Sep 26, 2021)</ref>


[https://twitter.com/bachonchain/status/1424265926489214977 @bachonchain Twitter] (Sep 25)
<ref name="bachonchaintwitter-3496">[https://twitter.com/bachonchain/status/1424265926489214977 @bachonchain Twitter] (Sep 26, 2021)</ref></references>

Latest revision as of 17:56, 2 May 2023

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Zerogoki

The Zerogoki project is an experimental leveraged token trading platform. An attacker was able to somehow craft a compromised price oracle, which according to analysis shows that it was signed by valid keys. It is unclear how the attacker was able to sign a valid transaction. The most likely scenario would be that all keys were stored in a central place.

The team tried to reach out to the attacker, however there does not appear to have been any response. There were no losses of any assets - only a drop in price due to the minting of additional tokens. This was corrected by the team through a series of token buy-backs.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37]

About Zerogoki

"Zerogoki is a derivatives platform on Ethereum and based on an algorithmic-pegging mechanism to create leveraged tokens for any assets." "This project is experimental. Use at your own risk."

"Zerogoki, a transliteration [from] Japanese, stands for the experimental model Unit-00, and its token REI is the pronunciation of the word 'zero' in Japanese. Thus, it’s a metaphor for a prototype. Zerogoki is a leveraged token trading platform deployed on Ethereum and based on an algorithmic pegging mechanism, which can provide users with leverage tools for traditional assets such as foreign exchange, gold, and bonds. Users can use the platform token REI to cast leverage tokens or use the protocol's synthetic dollar-zUSD to buy leverage assets directly."

"Zerogoki is the pilot experimental protocol from Duet Protocol, which only has the Lite-minting module of Duet Protocol. That is, the synthetic assets are generated only by destroying the protocol asset-REI, and the volatile leverage tokens are chosen as the listed assets to increase the system test pressure. At the same time, the slower Ethernet main net with high cost is used to test if Duet can run smoothly in a harsh environment."

"@0Zerogoki is not only the WORLD's FIRST algorithm-pegging synthetic asset protocol but also made the first decentralized leverage token on the chain."

The project received an audit by CertiK on July 11th, 2021

"On Aug 08 2021 (Beijing Time, block height 12982491), Zerogoki was attacked, which caused a loss of 670K USD." "Zerogoki experienced an Oracle attack a few hours ago when the wrong price led to an unrecognized transaction." "On 8th Aug 2021 05:24:48 AM UTC, one minting trading adopts a false REI price, and an excess 717,964.8 of zUSD was minted."

"Zerogoki Team located one user who executed an illicit minting transaction early today which caused a significant price slippage of zUSD…" "In the attack transaction, 0x81e5f715, the attacker constructed a message contains valid signatures and passed a crafted ns parameter (which contains a large number of zUSD). As a result, the attacker used 300 REI to swap 700k zUSD."

"Three addresses are collated with the signatures. However, we do not have information why the private keys of these addresses have been leaked, at the current stage."

"After the investigation, we found that it’s related to the compromised price oracle. The attacker provides a price oracle signed by legitimate private keys, which contain crafted number of tokens to be swapped. However the reason why the attacker can construct a valid signature is unknown yet."

"The swap function calls decode_op to obtain the information in the oracle. After performing the validation, the contract then burns the ns[0] x.token, mints ns[1] y.token and pays the swap fee to the GOV contract."

"From the implementation of the decode_op, there exists SIGNATURENUM (three) signatures in the parameter. These signatures need to be checked (and authorization) before performing the token swap (burning and minting)."

"After the Zerogoki community suffered the hacker attack on 8th August. Many Zerogoki users didn’t panic or sell the REI and zUSD,Instead, they stayed calm and confident. We are very grateful to these people for their unwavering support for Zerogoki. Later we decided to use more treasury funds to restore the peg soon and already invested $200K+ to stabilize the zUSD pegging to USD."

"[A]lthough the team could not prevent the price of REI from falling, but with the unremitting efforts, the liquidity depth of REI even increased from $1M to 1.5M (BSC+Ether)." "[W]e hope all players know that the REI depth is more crucial than the price when we talk about the stability of the synthetic assets of our system. Price will eventually return when the system stabilizes and reenters the positive cycle."

"The price of zUSD has experienced certain fluctuations, but it is expected to return to parity in the market trading and arbitrage after the minting function is back." "The above transaction is from 0xae, who sold all exceed zUSD afterward and caused a huge price drop. Zerogoki found out about this abnormal case soon, and the team suspended the oracle price feeding and mint/redeem function to avoid further price impact on REI."

"Regular Uniswap v2 trading and liquidity mining [were] not affected."

"[T]he Oracle bug was attacked by a malicious player. [W]e have to fix it before we can open it." "Oracle is closed, no more zUSD will be mint." "We have suspended the oracle." "We have suspended the oracle machine for now and it is expected to be restored within 2 days. The price of zUSD has experienced certain fluctuations, but it is expected to return to parity in the market trading and arbitrage after the minting function is back."

"During the suspension, REI-zAsset mint and burn have been stopped." "The system minting/redemption function is expected to be open at intervals on 13th August for 1 hour from 14:00 UTC, and 2 hours each day between 2:00 UTC and 14:00 UTC to help the market gradually return to the arbitrage equilibrium." "Regular Uniswap v2 trading and liquidity mining are not affected."

"During the suspension, REI-zAsset mint and burn have been stopped." "At the same time, to be on the safe side at the beginning of the launch, we lowered the casting/redemption flow limit again, and now the 24-hour flow and tax rate curve for REI and each zAsset is shown here."

"We are locating the problem and the hacker, please wait patiently, there is no need to panic, the system will gradually stabilizing, that is how it desgined." "The development team is working on the cause of abnormal prices and tracking user 0xae. During this time all users’ asset is safe and no actual loss happened unless REI and zAsset holders sell their holdings on a biased price."

"Attention to the Hacker: Through the efforts of our team, we have collected pretty much of your on-chain historical transaction and off-chain cypher activities. Moreover, we are close to mastering the identity information of your account at FTX. We urgently warn you to RETURN the funds belonging to the Zerogoki community."

"Zerogoki team calls for the user 0xae to connect with us. Since these exceeded minted zUSD should not be recognized, held, or selling these balances are against fair rules. The team would like to offer 0xae a reward for helping the project find out this oracle error and suggest 0xae to connect with us for the next process."

"The zUSD has experienced certain fluctuations, but it is expected to return to parity in the market trading and arbitrage after some time." "Don't Panic. Liquidity's coming." "The foundation has lent REI to core users who are willing to provide large amounts of liquidity, which REI token will be taken back in the future when liquidity becomes abundant." "Those who sell now will in fact bear the loss caused by the malicious player. Selling now is not recommended."

"Long term peg of zUSD is secured by Duet Treasury funds (3 Million USD). We will be buying zUSD when it’s below peg at random intervals. The Treasury will provide LP with the zUSD" "With strong community support and timely action from the team, the zUSD price has recovered to 0.98/USDT, the peg is finally back." "The zUSD price has recovered from the attack for the most part. After the minting function restored in about 1 ~ 2 days, the price difference will quickly converge through arbitrage, and there is no need for panic"

"The progress of zUSD price recovery exceeds expectations, is a proof of the strong community consensus!" "[L]iquidity pool back to $1 million, the reward still high." "After recovering from the fall yesterday, #Liquidity on #Zerogoki is back to >5 million USD and going stronger." "Now, zUSD liquidity and trading volume both have reached a record high — $2.3 million liquidity, 24H vol is close to $1 million. As we say ‘Whatever doesn’t kill you makes you stronger. A tribute to the great community support." "REI and zAsset are back to stable by now."

"Zerogoki plans to set up a HODL $REI activity to reward long-term $REI holders and Liquidity providers. Users who are identified as in the HODL $REI group will receive an extra airdrop for their loyalty and foresightedness. More detailed information will be released soon."

"We will use more treasury funds to restore the peg soon, and we've already invested $200K+ to stabilize the zUSD." On September 2nd, "[t]he team burnt 420,000 $REI tokens as a deflationary strategy of the #Zerogoki system." "Zerogoki plans to set up a HODL REI activity to reward long-term REI holders and liquidity providers. Users who are identified as in the HODL REI group will receive extra airdrop for their loyalty and foresightedness."

"In case of potential dumping, our foundation is considering buying back when REI's #BSC price is under $0.6."

"A big Thank you to all the users who participated in our #Crosschain activity, #BSC $REI tokens have been distributed, the total number is 280,463.839."

"We have decided to conduct a further review of the Oracle code and, for security reasons, expect the minting function recovery to be delayed until later this week. Users who want to participate in Yield Farming could purchase zAssets directly from Uniswap then do liquidity mining." "The project will set up bug bounty activities to involve more contributors to help the project become more stable and robust."

"Zerogoki project aims to build up a long-lasting and solid derivative platform for DeFi eco, and the project is more than grateful to users who stand with us." "What's Next: (1) BSC liquidity farming expected start at end of this week. (2) REI governance staking expected to launch next week."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Zerogoki Price Oracle Compromised
Date Event Description
August 8th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $670,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  2. Zerogoki (Sep 15, 2021)
  3. Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Sep 26, 2021)
  4. The Analysis Of The Zerogoki Attack (Sep 26, 2021)
  5. CertiK Security Assessment Duet/Zerogoki (Sep 26, 2021)
  6. God | 0x80ecdb90a1231cb1964546860b22238664035757 (Sep 26, 2021)
  7. Address 0x0d93A21b4A971dF713CfC057e43F5D230E76261C | Etherscan (Sep 26, 2021)
  8. Address 0x3054e19707447800f0666ba274a249fc9a67aa4a | Etherscan (Sep 26, 2021)
  9. Address 0x4448993f493b1d8d9ed51f22f1d30b9b4377dfd2 | Etherscan (Sep 26, 2021)
  10. Ethereum Transaction Hash (Txhash) Details | Etherscan (Sep 26, 2021)
  11. Zerogoki Global Youtubevideo Contest (Sep 26, 2021)
  12. Why i Like Zerogoki Protocol. I didn’t ask to get into DeFi. Most of… | by Sinjicarus | Medium (Sep 26, 2021)
  13. @0Zerogoki Twitter (Sep 26, 2021)
  14. Ethereum Transaction Hash (Txhash) Details | Etherscan (Sep 26, 2021)
  15. Welcome to Zerogoki - YouTube (Sep 26, 2021)
  16. @0Zerogoki Twitter (Sep 26, 2021)
  17. @bachonchain Twitter (Sep 26, 2021)
  18. @bachonchain Twitter (Sep 26, 2021)
  19. @bachonchain Twitter (Sep 26, 2021)
  20. @0Zerogoki Twitter (Sep 26, 2021)
  21. Zerogoki Progress And Future Roadmap Including Duet Launch Updates (Sep 26, 2021)
  22. @bachonchain Twitter (Sep 26, 2021)
  23. @bachonchain Twitter (Sep 26, 2021)
  24. @0Zerogoki Twitter (Sep 26, 2021)
  25. @bachonchain Twitter (Sep 26, 2021)
  26. @0Zerogoki Twitter (Sep 26, 2021)
  27. @0Zerogoki Twitter (Sep 26, 2021)
  28. @bachonchain Twitter (Sep 26, 2021)
  29. @bachonchain Twitter (Sep 26, 2021)
  30. @bachonchain Twitter (Sep 26, 2021)
  31. @bachonchain Twitter (Sep 26, 2021)
  32. @bachonchain Twitter (Sep 26, 2021)
  33. @0Zerogoki Twitter (Sep 26, 2021)
  34. Temporarily Suspension Of Mint Redeem Function (Sep 26, 2021)
  35. @bachonchain Twitter (Sep 26, 2021)
  36. @bachonchain Twitter (Sep 26, 2021)
  37. @bachonchain Twitter (Sep 26, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Zerogoki_Price_Oracle_Compromised&oldid=4079"