BXH Exchange Private Key Leak: Difference between revisions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

BXH Exchange

BXH is a decentralized exchange platform which appears to be run by a team in China. However, the authority to make changes resided within the hands of a single team member. This private key was breached by an unknown means, and the attacker has not returned any funds. A $10m reward has gone unanswered.

The project has relaunched on most chains, and is working on a recovery. However, it's unclear if any of the affected users have been compensated yet at this time. They set up a multi-sig to prevent future issues.

This exchange or platform is based in China, or the incident targeted people primarily in China.^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29]}

About BXH Exchange

"Boy X Highspeed (BXH) [is] a decentralized cross-chain exchange." "BXH is an innovative one-stop decentralized trading platform." The BXH "[p]roject is a DEX on Huobi Eco Chain mainly aimed at the Chinese market, an English interface is also available. "BXH" stands for "Bitcoin DEX on HECO""

The BXH token is a "[g]overnance token for [the] BXH DEX, farmed through liquidity mining similar to other DEX tokens, a certain amount of tokens are repurchased and burned.

"On October 30th, the private key of the decentralized revenue protocol BXH was stolen and lost approximately US$139 million in encrypted assets." "The attacker gained access to the stolen funds due to a failure to properly protect the administrative key of the project’s account on the Binance Smart Chain (BSC)." "With this private key, the attacker was able to digitally sign a transaction transferring $139 million in tokens from BXH’s account on BSC to their own account."

"The decentralized transaction protocol BXH tweeted that the assets of the protocol on the Binance Smart Chain (BSC) chain were hacked." "DeFi trading platform BXH said in multiple tweets that it was being attacked on BSC, resulting in the theft of about US$130 million. It said that assets on other chains are safe and not affected, and it has locked BXH contracts on OEC and HECO chains for asset security reasons."

"The security incident occurred on the BSC chain. According to official statements, the on-chain assets of Ethereum, OEC, and Heco were not affected, but for security reasons, all on-chain deposit and withdrawal functions have been shut down."

"Due to the attack occurring in China, where most of BXH’s technical staff operate, an inside job is the current running theory. However, it’s possible a hacker planted a virus on the BXH site that was clicked by an administrator, granting the thief access to a computer with private key privileges." "The inside-job theory is supported by findings that indicate the attacker was in China, where most of BXH’s technical team is based, according to the CEO."

"According to the analysis of the blockchain security agency SlowMist Technology, the hacker deployed the attack contract 0x8877 ​​at 13:00 on the 27th (UTC), and then the BXH wallet address 0x5614 at 8:00 on the 29th (UTC) will manage permissions through grantRole The attack contract 0x8877 ​​was given. At 3 o'clock on the 30th (UTC), the attacker obtained the authority by attacking the contract 0x8877 ​​to transfer the assets under his management from the BXH vault. The vault was suspended at 4 o'clock on the 30th (UTC) at the wallet address 0x5614. Therefore, BXH was stolen this time because its management authority was maliciously modified, causing the attacker to use this authority to transfer project assets. At present, 4000 ETH in the hacker's initial address has been transferred from BSC to ETH, and 300 BTCB was converted into renBTC and transferred to the new address."

The hack "that drained $139 million of funds was probably the result of a leaked administrator key, and possibly an inside job, CEO Neo Wang told CoinDesk." "Based on a consultation with an external security team, BXH says the hacker was probably able to break into the exchange’s Binance Smart Chain address after getting hold of the administrator’s private key, Wang said."

"Work with Peckshield to monitor and track stolen assets and update the status of stolen assets to the community. Notified O3Swap and requested the emergency shutdown of the BSC cross-chain bridge. Notified AnySwap and requested it to add the hacker address to the blacklist ASAP. Contacted renBridge, but renVM said that it didn't have a blacklist mechanism. Emailed USDC to freeze the account, but Centre.io said that it needed a court order. BXH has contacts a Delaware lawyer to follow up. With the support of Peckshield, BXH comprehensively analyzed the cross-chain bridge used by the attacker and the attack process, preliminarily profiled the attacker, and the possible countries where the attacker might be located. Contacted the Heco team to assist in risk control over the BXH platform contracts. Filed a police report to Hunan police with the community members. Peckshield provided the investigation report and relevant data to the police. All BXH staff actively cooperated with the police, such as taking deposition, etc... Contact Huobi to investigate the registration information of the Gas fee withdrawal account. Sought help from SlowMist to jointly track assets and analyze the attacks. Contacted Lossless, the overseas security company, and prepared the English report. Contacted the listed domestic security company DAS-Security to check the server."

"After repeated tests by multiple parties, it is now confirmed that all security loopholes on the ETH chain have been eliminated, and the multi-signature upgrade for private key verification has also been completed." "In order to further ensure the security of users' assets on BXH, BXH has decided to fully upgrade its contracts, both the main contract and the dispatch contract." "To complete the upgrade, we need to postpone the reopening time on the ETH chain to 20:00 on November 14, 2021, Beijing time. By then, the front-end of BXH will also be opened, and all third-party APIs will need upgrading. BXH will provide necessary information such as APIs at the same time."

"Thanks to the cooperation and support of all parties, BXH has resumed its service on OEC and ETH after the attack on October 30, 2021. Now BXH is striving to resume its service on HECO and BSC."

"After the October 30th event, the remaining assets in the BSC chain have been transferred to the secure multi-signature contract address." "A draft solution for the stolen assets of the BSC chain will be publicized before 20:00, November 18, 2021, Beijing time. Once the solution is finalized, BXH will announce and execute it in no time." "In addition, BXH announced the first draft plan about its assets on in the community on November 18, and received a lot of opinions and feedback. BXH thank you for your support and valuable contribution."

"A case has been filed with China’s network security police, and a bounty of $1 million has been offered to any team that helps retrieve the funds. If the hacker is not found and/or funds are not returned, BXH has claimed it will accept full responsibility for the lost funds and provide a user repayment plan for those affected." "BXH has also filed a case with China’s network security police, a special force that investigates digital crime, the CEO said."

"As the team is trying the best to get the incident cleared in cooperation with authorities and third party security team. We also offer a bonus at amount of $ 1 million to any white hat team who can help us retrieving user's assets that got theft." "The total reward pool has now risen to 10 million US dollars!"

“To the exploiters again, please return the funds to the fund pool immediately and we will recognize your actions as white hat and offer bonus,” BXH said in a tweet, adding that it will offer a bonus of US$1 million to any white hat team that could help retrieve users’ assets.

"If the hacker is not found or returns the money, BXH will take full responsibility for the incident and figure out a user repayment plan, Wang said." "We want to thank the community for your patience during the cause of the attack. We would come back stronger."

"We are glad to announce the reopening of $BXH on #HECOCHAIN." "The withdrawal of tokens on BXH.COM will start from 22:30 November 28th, 2021 as the new smart contract audited by Peckshield has been deployed on Binance Smart Chain. Users can get their withdra[wa]l token XDT according to the amount of the assets they hold on the platform." "The opening of the withdrawal is the first step of BXH's return. Thenk you all for the patient awaiting. And we hope you will cont[i]nue the journey with us."

This exchange or platform is based in China, or the incident targeted people primarily in China.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $139,195,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The way to prevent the issue is through a multi-signature arrangement, and also through storing keys safely offline. There is no reason that a key needs to leave an offline medium.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References