Arbix Finance Rug Pull: Difference between revisions

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Arbix Finance

Arbix Finance was a yield farming smart contract. Once an audit was obtained through CertiK, deposit funds were instead requested on an unaudited smart contract which featured additional centralized mint functions for the owner. This enabled the full $10m which had been deposited in the smart contract to be stolen. The website and other social media were subsequently removed. There does not appear to be any proposal for recovery.

This is a global/international case not involving a specific country.^[1][2][3][4]

About Arbix Finance

^[5][6][7][8]

"Arbix Finance labelled themselves as an arbitrage-focused project on BSC, in which users could deposit into single-asset vaults in order “to gain optimal yield with low risk”."

"Arbix Finance is a yield farming platform on Binance Smart Chain utilizing Arbitrage Earning Protocol to gain optimal yield with low risk." "Arbitrage Earning Protocol takes the vaults' liquidity to make profit against DEXs (e.g. pancakeswap, apeswap, etc..) The profit occurs when there are same-asset price discrepancies among the DEXs."

"Under Arbix Finance users can deposit BEP20 token assets into the vaults and reap competitive profits. Unlike many yield farming platforms, users do not have to concern about impermanent loss since all of the vaults are single-asset."

The Reality

Despite obtaining an audit from CertiK, the Arbix Finance project proceeded to launch a separate smart contract with eight additional minting functions, which allowed them to mint any amount of ARBX token they desired^[9].

"The exploited contract was not in the audit scope that was done for Arbix. The project inserted eight `mint()` functions to a newly deployed ARBX ERC20 contract which allowed the owner to mint any amount of ARBX tokens to any address."

What Happened

"The funds deposited by users ($10M) were directed to unverified pools via the depositor contract."

"Starting around 3 AM +UTC on Jan 4th, the project drained the vaults of users’ funds and deleted their website, Twitter and Telegram accounts."

Technical Details

The exploit was relatively simple. A smart contract without minting functions was provided for CertiK to review with a formal audit. The Arbix Finance team then deployed a separate smart contract with 8 additional minting functions, which never underwent any review. After the project gained popularity and liquidity, they then used those minting functions to mint ARBX tokens and dump them on the market. The tokens were swapped via AnySwap to ethereum.

Depositor address: ^[13]

One unverified pool: ^[14]

Hacker address: ^[15]

^{[16][17][18][19]}

^[9]

"Starting around 3 AM +UTC on Jan 4th, the project drained the vaults of users’ funds and deleted their website, Twitter and Telegram accounts."

CertiK Incident Analysis Tweet

CertiK prepared an incident analysis, which highlighted the simplistic nature of the exploit^[11][9].

1. $ARBX contract has mint() with onlyOwner function

2. 10M $ARBX were minted to 8 addresses

3. ~4.5M ARBX were minted to: 0x161262d172699cf0a5e09b6cdfa5fee7f32c183d

4. The 4.5M ARBX were then dumped

The funds deposited by users ($10M) were directed to unverified pools via the depositor contract

The hacker drained all assets from the pools

The attacker moved the rugged funds to #Ethereum thru AnySwap USDT.

The exploited contract was not in the audit scope that was done for Arbix. The project inserted eight `mint()` functions to a newly deployed ARBX ERC20 contract which allowed the owner to mint any amount of ARBX tokens to any address.

Total Amount Lost

"The funds deposited by users ($10M) were directed to unverified pools via the depositor contract."

"$ARBX contract has mint() with onlyOwner function. 10M $ARBX were minted to 8 addresses. ~4.5M ARBX were minted to: 0x161262d172699cf0a5e09b6cdfa5fee7f32c183d. The 4.5M ARBX were then dumped."

"Also stolen were: $920k Binance-pegged ETH, $2.25M in BSC-USD, $1.7M BUSD, $1.4M CAKE, $1M BSC-USDC, As well as lesser amounts of ADA, DOT, DOGE, LINK, XRP and WBNB."

The total amount lost has been estimated at $10,000,000 USD.

Immediate Reactions

"Starting around 3 AM +UTC on Jan 4th, the project drained the vaults of users’ funds and deleted their website, Twitter and Telegram accounts."

"We’ve received inbounds that may indicate high risks regarding to a project named Arbix Finance. Privileged functionalities appear in those smart contracts and we wish the community DYOR enough before interacting with the dApp."

"Basically @certik_io @certikorg audited and proudly certified Arbix Finance to have a multi-signature mechanism to approve funds management without even KYC them. They alerted the investors after the devs already rug pulled the TVL."

"#Arbix Finance has been identified as #rugpull. Privileged functionalities appear in the identified smart contracts."

"Steer clear from Arbix Finance says @certikorg after the firm identified the BSC-based yield farming protocol as a rug pull."

Community Reaction On Twitter.

Several users were critical of the CertiK smart contract audit process^[20].

"Even after certik audit they are stealing hard earned money of innocent peoples it means there is no means to have faith on certik now onwards .... All other excuses are [not accepted]"

Ultimate Outcome

"Basically @certik_io @certikorg audited and proudly certified Arbix Finance to have a multi-signature mechanism to approve funds management without even KYC them. They alerted the investors after the devs already rug pulled the TVL."

"Using the platform’s Skytrace tool to analyze the risk of fraud, the firm determined that the hacker moved the funds to Ethereum through decentralized exchange AnySwap USDT."

"Despite providing the project’s audit in November of last year, and marking all major or critical issues as resolved, Certik decided to publish a basic incident analysis."

The CertiK website presently does not list any audits on their page about Arbix Finance^[21].

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

The smart contract deployed by Arbix Finance was never audited. Individuals could have avoided the loss by carefully checking the deployed smart contract address against the address of the audited smart contract, and not providing funds to the unaudited smart contract. If a larger portion of users were diligent and warned others, the amount of loss could have been dramatically reduced.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Increased user education is the primary way wallets or exchanges could protect users from using unaudited smart contracts. Adding a standard/automatic way to distinguish smart contracts which have been audited from those which have not into the user interface would be highly beneficial for users in being aware that they are interacting with an unaudited smart contract.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Platforms should work together to create an industry insurance fund to assist users who lose funds.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Increased education can assist citizens to avoid using unaudited smart contracts. Having a standard system to review projects and ensure that the smart contract address for the review is provided prominently could reduce the risk and also increase the accountability for project owners. Finally, an industry insurance fund can assist affected users and provide scrutiny of new projects.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

Cite error: <ref> tag with name "youtube-5311" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "voi-5312" defined in <references> is not used in prior text.