AnySwap ECDSA Exploit: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/anyswapecdsaexploit.php}} thumb|AnyswapRather than use a multi-sig, AnySwap funds were locked in a complex MPC (multi-party computation) protocol. In an MPC there is only one private key, which multiple parties have partial information for. The MPC protocol counts on uniquely generated "R" values, and having repeated "R" values allows an attacker to deduce the private key. Any...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/anyswapecdsaexploit.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/anyswapecdsaexploit.php}} | ||
{{Unattributed Sources}} | |||
[[File:Anyswap.jpg|thumb|Anyswap]]Rather than use a multi-sig, AnySwap funds were locked in a complex MPC (multi-party computation) protocol. In an MPC there is only one private key, which multiple parties have partial information for. The MPC protocol counts on uniquely generated "R" values, and having repeated "R" values allows an attacker to deduce the private key. AnySwap plans to compensate all affected users. | [[File:Anyswap.jpg|thumb|Anyswap]]Rather than use a multi-sig, AnySwap funds were locked in a complex MPC (multi-party computation) protocol. In an MPC there is only one private key, which multiple parties have partial information for. The MPC protocol counts on uniquely generated "R" values, and having repeated "R" values allows an attacker to deduce the private key. AnySwap plans to compensate all affected users. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="blockthreat-2747" /><ref name="anyswapmedium-2756" /><ref name="cmicheliotwitter-2757" /><ref name="rektnews-2758" /><ref name="openblocksecgithub-2342" /><ref name="knownsecblockchainlabmedium-2759" /><ref name="certik-1251" /><ref name="anyswap-2760" /><ref name="anyswapfaq-2761" /><ref name="utoday-2762" /><ref name="etherscan-2763" /><ref name="etherscan-2764" /><ref name="bscscan-2765" /><ref name="ftmscan-2766" /><ref name="etherscan-2767" /><ref name="tayvanotwitter-2768" /><ref name="nilsschneiderarchive-2769" /><ref name="nicksdjohnsontwitter-2770" /><ref name="multichainorgtwitter-7652" /><ref name="adrianhetman-7653" /><ref name="multichainorgmedium-7655" /><ref name="rektnews-7656" /><ref name="cryptopotato-7657" /><ref name="halborn-7658" /> | ||
== About Anyswap == | == About Anyswap == | ||
| Line 74: | Line 75: | ||
!Description | !Description | ||
|- | |- | ||
|July 10th, 2021 | |July 10th, 2021 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 82: | Line 83: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 101: | Line 105: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
== Prevention Policies == | |||
One of the key requirements of an effective multi-sig is simplicity. When additional complexity is added, the opportunity for exploits increases dramatically, and it is no longer possible to evaluate the security setup. | One of the key requirements of an effective multi-sig is simplicity. When additional complexity is added, the opportunity for exploits increases dramatically, and it is no longer possible to evaluate the security setup. | ||
AnySwap plans to compensate affected users, so there are not anticipated to be losses in this case. | AnySwap plans to compensate affected users, so there are not anticipated to be losses in this case. | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://blockthreat.substack.com/p/blockthreat-week-27-2021 No Title] (Jul | <references><ref name="blockthreat-2747">[https://blockthreat.substack.com/p/blockthreat-week-27-2021 No Title] (Jul 24, 2021)</ref> | ||
[https://anyswap.medium.com/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb Anyswap Multichain Router V3 Exploit Statement] (Jul | <ref name="anyswapmedium-2756">[https://anyswap.medium.com/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb Anyswap Multichain Router V3 Exploit Statement] (Jul 24, 2021)</ref> | ||
[https://twitter.com/cmichelio/status/1414344946803433477 @cmichelio Twitter] (Jul | <ref name="cmicheliotwitter-2757">[https://twitter.com/cmichelio/status/1414344946803433477 @cmichelio Twitter] (Jul 24, 2021)</ref> | ||
[https://www.rekt.news/anyswap-rekt/ Rekt - Anyswap - REKT] (Jul | <ref name="rektnews-2758">[https://www.rekt.news/anyswap-rekt/ Rekt - Anyswap - REKT] (Jul 30, 2021)</ref> | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug | <ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref> | ||
[https://medium.com/@Knownsec_Blockchain_Lab/can-derive-the-private-key-anyswap-cross-chain-bridge-is-analyzed-4d6ddc30c974 Can derive the private key? Anyswap cross-chain bridge is analyzed | by Knownsec Blockchain Lab | Medium] (Aug | <ref name="knownsecblockchainlabmedium-2759">[https://medium.com/@Knownsec_Blockchain_Lab/can-derive-the-private-key-anyswap-cross-chain-bridge-is-analyzed-4d6ddc30c974 Can derive the private key? Anyswap cross-chain bridge is analyzed | by Knownsec Blockchain Lab | Medium] (Aug 11, 2021)</ref> | ||
[https://www.certik.org/ CertiK Blockchain Security Leaderboard] ( | <ref name="certik-1251">[https://www.certik.org/ CertiK Blockchain Security Leaderboard] (Jun 1, 2021)</ref> | ||
[https://anyswap.exchange/dashboard AnySwap - Cross Chain DEX] (Aug | <ref name="anyswap-2760">[https://anyswap.exchange/dashboard AnySwap - Cross Chain DEX] (Aug 22, 2021)</ref> | ||
[https://anyswap-faq.readthedocs.io/en/latest/index.html Anyswap DEX User Guide — Anyswap 1.0.0 documentation] (Aug | <ref name="anyswapfaq-2761">[https://anyswap-faq.readthedocs.io/en/latest/index.html Anyswap DEX User Guide — Anyswap 1.0.0 documentation] (Aug 22, 2021)</ref> | ||
[https://u.today/press-releases/a-comprehensive-review-of-the-cross-chain-dex-anyswap A Comprehensive Review Of The Cross-Chain DEX Anyswap] (Aug | <ref name="utoday-2762">[https://u.today/press-releases/a-comprehensive-review-of-the-cross-chain-dex-anyswap A Comprehensive Review Of The Cross-Chain DEX Anyswap] (Aug 22, 2021)</ref> | ||
[https://etherscan.io/tx/0xc80e7cfeb16143cba4d5fb3b192b7dbe70e9bcd5ca0348facd20bf2d05693070 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Aug | <ref name="etherscan-2763">[https://etherscan.io/tx/0xc80e7cfeb16143cba4d5fb3b192b7dbe70e9bcd5ca0348facd20bf2d05693070 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Aug 28, 2021)</ref> | ||
[https://etherscan.io/tx/0xecaaf8b57b6587412242fdc040bd6cc084077a07f4def24b4adae6fbe8254ae3 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Aug | <ref name="etherscan-2764">[https://etherscan.io/tx/0xecaaf8b57b6587412242fdc040bd6cc084077a07f4def24b4adae6fbe8254ae3 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Aug 28, 2021)</ref> | ||
[https://bscscan.com/tx/0xa8a75905573cce1c6781a59a5d8bc7a8bfb6c8539ca298cbf507a292091ad4b5 Binance Transaction Hash (Txhash) Details | BscScan] (Aug | <ref name="bscscan-2765">[https://bscscan.com/tx/0xa8a75905573cce1c6781a59a5d8bc7a8bfb6c8539ca298cbf507a292091ad4b5 Binance Transaction Hash (Txhash) Details | BscScan] (Aug 28, 2021)</ref> | ||
[https://ftmscan.com/tx/0x7312936a28b143d797b4860cf1d36ad2cc951fdbe0f04ddfeddae7499d8368f8 Fantom Transaction Hash (Txhash) Details | FtmScan] (Aug | <ref name="ftmscan-2766">[https://ftmscan.com/tx/0x7312936a28b143d797b4860cf1d36ad2cc951fdbe0f04ddfeddae7499d8368f8 Fantom Transaction Hash (Txhash) Details | FtmScan] (Aug 28, 2021)</ref> | ||
[https://etherscan.io/address/0x0aE1554860E51844B61AE20823eF1268C3949f7C Address 0x0aE1554860E51844B61AE20823eF1268C3949f7C | Etherscan] (Aug | <ref name="etherscan-2767">[https://etherscan.io/address/0x0aE1554860E51844B61AE20823eF1268C3949f7C Address 0x0aE1554860E51844B61AE20823eF1268C3949f7C | Etherscan] (Aug 28, 2021)</ref> | ||
[https://twitter.com/tayvano_/status/1414429118125334530 @tayvano_ Twitter] (Aug | <ref name="tayvanotwitter-2768">[https://twitter.com/tayvano_/status/1414429118125334530 @tayvano_ Twitter] (Aug 28, 2021)</ref> | ||
[https://web.archive.org/web/20160308014317/http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html Recovering Bitcoin private keys using weak signatures from the blockchain / Nils Schneider] (Aug | <ref name="nilsschneiderarchive-2769">[https://web.archive.org/web/20160308014317/http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html Recovering Bitcoin private keys using weak signatures from the blockchain / Nils Schneider] (Aug 28, 2021)</ref> | ||
[https://twitter.com/nicksdjohnson/status/1414512086672052238 @nicksdjohnson Twitter] (Aug | <ref name="nicksdjohnsontwitter-2770">[https://twitter.com/nicksdjohnson/status/1414512086672052238 @nicksdjohnson Twitter] (Aug 28, 2021)</ref> | ||
[https://twitter.com/MultichainOrg/status/1414270670922391555 @MultichainOrg Twitter] (May 7) | <ref name="multichainorgtwitter-7652">[https://twitter.com/MultichainOrg/status/1414270670922391555 @MultichainOrg Twitter] (May 7, 2022)</ref> | ||
[https://www.adrianhetman.com/anyswap-got-hacked/ Anyswap got hacked] (May 7) | <ref name="adrianhetman-7653">[https://www.adrianhetman.com/anyswap-got-hacked/ Anyswap got hacked] (May 7, 2022)</ref> | ||
[https://medium.com/multichainorg/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb Anyswap Multichain Router V3 Exploit Statement] (May 7) | <ref name="multichainorgmedium-7655">[https://medium.com/multichainorg/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb Anyswap Multichain Router V3 Exploit Statement] (May 7, 2022)</ref> | ||
[https://rekt.news/anyswap-rekt/ Rekt - Anyswap - REKT] (May 7) | <ref name="rektnews-7656">[https://rekt.news/anyswap-rekt/ Rekt - Anyswap - REKT] (May 7, 2022)</ref> | ||
[https://cryptopotato.com/random-numbers-dont-lie-a-closer-technical-look-into-recent-defi-hacks/ Random Numbers Don’t Lie: A Closer Technical Look into Recent DeFi Hacks] (May 7) | <ref name="cryptopotato-7657">[https://cryptopotato.com/random-numbers-dont-lie-a-closer-technical-look-into-recent-defi-hacks/ Random Numbers Don’t Lie: A Closer Technical Look into Recent DeFi Hacks] (May 7, 2022)</ref> | ||
[https://halborn.com/how-hackers-can-exploit-weak-ecdsa-signatures/ How Hackers Can Exploit Weak ECDSA Signatures] (May 7) | <ref name="halborn-7658">[https://halborn.com/how-hackers-can-exploit-weak-ecdsa-signatures/ How Hackers Can Exploit Weak ECDSA Signatures] (May 7, 2022)</ref></references> | ||
Latest revision as of 10:28, 3 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Rather than use a multi-sig, AnySwap funds were locked in a complex MPC (multi-party computation) protocol. In an MPC there is only one private key, which multiple parties have partial information for. The MPC protocol counts on uniquely generated "R" values, and having repeated "R" values allows an attacker to deduce the private key. AnySwap plans to compensate all affected users.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]
About Anyswap
"Anyswap is a fully decentralized cross chain swap protocol, based on Fusion DCRM technology, with automated pricing and liquidity system. Anyswap is a decentralized application running on the Fusion, Binance Smart Chain, Ethereum and Fantom blockchains. The first application from Anyswap is a DEX (Decentralized Exchange), which is called anyswap.exchange."
"Anyswap protocol allows users to immediately swap from one coin to another with a click of a button. It can be considered as a decentralized exchange, however, it doesn’t have an order book. Therefore, users can swap and immediately get coins at the price of the currency they are swapping to, without going through the hassle of creating orders and waiting for them to be filled."
"Anyswap uses Anyswap Working Nodes (AWN) to ensure the decentralization of Anyswap. These nodes will be elected by the holders of ANY token, and will be responsible for funds custody. Therefore, Anyswap company will have no control over users’ funds." "Anyswap uses Fusion’s DCRM technology as a cross-chain solution. Anyswap users can deposit any coin to the protocol, mint wrapped tokens in a fully decentralized way and swap assets from different blockchains." "Liquidity providers can add or withdraw liquidity into swap pairs. Prices will be automated according to the liquidity provided."
"The new Anyswap multichain prototype V3 router was exploited early on July 10, 2021." "AnySwap lost $7.8M worth of crypto funds as a result of ECDSA signature derivation exploit." "The attack occurred on Anyswap V3 liquidity pool on July 10, 2021, at 8:00 PM UTC."
"Two v3 router transactions were detected under the V3 Router MPC account on BSC, these two transactions have the same R value signature. And hacker deduced the private key to this MPC account in reverse. Anyswap team reproduced this attack method." "Anyswap multichain V3 router was exploited and result in 7.5M$ worth of assets lost. The attacker deduced the private key to the Anyswap V3 Router MPC account based on two transactions that have the same R value signature."
"The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys."
"The key here is that every k value calculated in the algorithm should be based on a different, random number for each signature. If two or more transactions contain a repeated k value, then the private key can be back-calculated."
"This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013."
"Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key."
"The bridges are burning. Anyswap and Chainswap in 24 hours. They say it's fixed, but can you trust them?"
"[O]nly the new V3 cross-chain liquidity pools have been affected." "An exploit was detected in the new anyswap v3 prototype, all bridge funds used in v1/v2 are safe. Remedial action already in place for all exploited funds." "All v1/v2 bridge transactions have been audited, they don’t have the same R transactions. Bridges are safe."
Losses were "2,398,496.02 USDC and 5,509,222.73 MIM in total." "Anyswap has already put remedial actions in place to provide full compensation. Anyswap will compensate. Thus, liquidity providers will be able to withdraw their assets from the pool once again when the liquidity is refilled by Anyswap pending the 48-hour timelock."
"To facilitate future security, Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."
"Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough."
"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server."
"And it requires every signature request to scan every previous one, but really that's the smallest problem here."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 10th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $7,800,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
One of the key requirements of an effective multi-sig is simplicity. When additional complexity is added, the opportunity for exploits increases dramatically, and it is no longer possible to evaluate the security setup.
AnySwap plans to compensate affected users, so there are not anticipated to be losses in this case.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ No Title (Jul 24, 2021)
- ↑ Anyswap Multichain Router V3 Exploit Statement (Jul 24, 2021)
- ↑ @cmichelio Twitter (Jul 24, 2021)
- ↑ Rekt - Anyswap - REKT (Jul 30, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ Can derive the private key? Anyswap cross-chain bridge is analyzed | by Knownsec Blockchain Lab | Medium (Aug 11, 2021)
- ↑ CertiK Blockchain Security Leaderboard (Jun 1, 2021)
- ↑ AnySwap - Cross Chain DEX (Aug 22, 2021)
- ↑ Anyswap DEX User Guide — Anyswap 1.0.0 documentation (Aug 22, 2021)
- ↑ A Comprehensive Review Of The Cross-Chain DEX Anyswap (Aug 22, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 28, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 28, 2021)
- ↑ Binance Transaction Hash (Txhash) Details | BscScan (Aug 28, 2021)
- ↑ Fantom Transaction Hash (Txhash) Details | FtmScan (Aug 28, 2021)
- ↑ Address 0x0aE1554860E51844B61AE20823eF1268C3949f7C | Etherscan (Aug 28, 2021)
- ↑ @tayvano_ Twitter (Aug 28, 2021)
- ↑ Recovering Bitcoin private keys using weak signatures from the blockchain / Nils Schneider (Aug 28, 2021)
- ↑ @nicksdjohnson Twitter (Aug 28, 2021)
- ↑ @MultichainOrg Twitter (May 7, 2022)
- ↑ Anyswap got hacked (May 7, 2022)
- ↑ Anyswap Multichain Router V3 Exploit Statement (May 7, 2022)
- ↑ Rekt - Anyswap - REKT (May 7, 2022)
- ↑ Random Numbers Don’t Lie: A Closer Technical Look into Recent DeFi Hacks (May 7, 2022)
- ↑ How Hackers Can Exploit Weak ECDSA Signatures (May 7, 2022)