Pirate X Pirate Private Key Leak: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
No edit summary
(Another 30 minutes complete. All sources merged in. Prevention added. Information relocated around.)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/piratexpirateprivatekeyleak.php}}
{{Case Study Under Construction}}[[File:Piratexpirate.jpg|thumb|Pirate X Pirate]]The Pirate X Pirate NFT game suffered a breach that resulted in 212 BNB (~$83k USD) worth of funds being taken. The breach appears to be the result of a private key leak, and very limited details have been published on how the key may have leaked. The company has instead fired their development team and hired external contract auditors.
{{Unattributed Sources}}


[[File:Piratexpirate.jpg|thumb|Pirate X Pirate]]The Pirate X Pirate NFT game suffered a breach that resulted in 212 BNB (~$83k USD) worth of funds being taken. The breach appears to be the result of a private key leak, and very limited details have been published on how the key may have leaked. The company has instead fired their development team and hired external contract auditors.
== About Pirate X Pirate ==
<ref name="piratexpirate-7262" /><ref name="thebittimes-7269" /><ref name="bscscan-7270" /><ref name="bscscan-7273" /><ref name="bscscan-7274" /><ref name="shinchanieoalertsmedium-7275" />
 
"Pirate X Pirate is a Blockchain gaming platform with a pirate theme. It is a world where you earn through your adventures across the high seas. Recruit your crew, form your fleet, and test your prowess battling against other pirates to earn money. With your fleet, you will participate in building a pirate metaverse with its own self-contained economy."
 
== The Reality ==
 
=== Uncertainty Around Developer Team ===
TBD - The team was later fired and replaced.


This is a global/international case not involving a specific country.<ref name="slowmist-2069" /><ref name="piratexpirate-7262" /><ref name="coinmarketcap-6470" /><ref name="pxpnftsgametwitter-7263" /><ref name="piratexpiratenftsgamemedium-7264" /><ref name="pxpnftsgametwitter-7265" /><ref name="piratexpiratenftsgamemedium-7266" /><ref name="web3isgoinggreat-7267" /><ref name="blocksecteamtwitter-7268" /><ref name="thebittimes-7269" /><ref name="bscscan-7270" /><ref name="bscscan-7271" /><ref name="bscscan-7272" /><ref name="bscscan-7273" /><ref name="bscscan-7274" /><ref name="shinchanieoalertsmedium-7275" />
=== Lack Of Smart Contract Audit ===
TBD - Confirm that Pirate X Pirate was not audited.


== About Pirate X Pirate ==
== What Happened ==
"Pirate X Pirate is a Blockchain gaming platform with a pirate theme. It is a world where you earn through your adventures across the high seas. Recruit your crew, form your fleet, and test your prowess battling against other pirates to earn money. With your fleet, you will participate in building a pirate metaverse with its own self-contained economy."
The private key of the Pirate X Pirate NFT project was used to extract a profit.
{| class="wikitable"
|+Key Event Timeline - Pirate X Pirate Private Key Leak
!Date
!Event
!Description
|-
|January 20th, 2022 2:00:00 PM MST
|Shinchanieoalerts Interview
|Interview with Pirate X Pirate founding team<ref name="shinchanieoalertsmedium-7275" />.
|-
|March 8th, 2022 2:15:00 PM MST
|Test Transaction
|What appears to be a smaller test of the exploit<ref name="bscscan-7272" />. TBD review SlowMist information<ref name="slowmist-2069" />. This is the date that Pirate X Pirate attributes as the date of the exploit<ref name="piratexpiratenftsgamemedium-7266" />.
|-
|March 8th, 2022 3:51:22 PM MST
|Exploit Transaction
|The Pirate X Pirate smart contract is exploited<ref name="bscscan-7271" />. "A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."<ref name="piratexpiratenftsgamemedium-7266" />
|-
|March 9th, 2022 1:27:00 AM MST
|BlockSecTeam Twitter Thread
|The BlockSecTeam posts an analysis of the exploit on Twitter, suspecting that the private keys of the team have been breached<ref name="blocksecteamtwitter-7268" />.
|-
|March 9th, 2022 8:20:00 AM MST
|Sincerest Apologies
|Pirate X Pirate tweets promising their sincerest apologies for the recent hacking event<ref name="pxpnftsgametwitter-7265" /> and provided a more detailed plan on their Medium<ref name="piratexpiratenftsgamemedium-7266" />. TBD review Medium.
|-
|March 10th, 2022 4:00:00 PM MST
|Web3IsGoingGreat
|The Web3IsGoingGreat picks up the story and shares an article on the situation<ref name="web3isgoinggreat-7267" /><ref name=":0">[https://twitter.com/web3isgreat/status/1502056823247056914 web3isgreat - "A trader ends up owing $3600 after an exchange mistakenly deposits 10 Bitcoin in their account" - Twitter] (Apr 25, 2023)</ref>. TBD story has changed over time?
|-
|March 11th, 2022 10:03:23 PM MST
|QuillAudits Includes Summary
|QuillAudits reports that PirateX experienced an attack where users' deposited tokens were redirected to an external account. However, when users withdrew their tokens, the funds were returned to them through the smart contract's Transferfrom function. The attacker managed to profit 212 BNB through this exploit<ref name="quillhashmedium-7261">[https://medium.com/quillhash/fantom-based-protocol-fantasm-suffers-2-6m-exploit-32de8191ccd4 Fantom Based Protocol Fantasm Suffers 2 6m Exploit - QuillAudits] (Mar 17, 2022)</ref>.
|-
|March 15th, 2022 5:21:00 AM MDT
|Community Thank You
|Pirate X Pirate releases "[a] hearty thank to all of you who stay on board with us"<ref name="pxpnftsgametwitter-7263" /> and provide a link to a Medium article with the schedule going forward<ref name="piratexpiratenftsgamemedium-7264" />. TBD details from Medium.
|-
|June 9th, 2022 6:36:55 AM MDT
|Shared On Reddit With Audit
|A post about Pirate X Pirate is shared on Reddit, emphasizing the protocol being audited by Hacken<ref name=":1">[https://old.reddit.com/r/dao/comments/v8fw8r/pirate_x_pirate_audited_by_hacken_pirate_based/ epuril - "Pirate X Pirate | Audited by Hacken | Pirate based P2E/P2P NFT Game |NFT Marketplace LIVE! | From the creators of Biggest Siam Board Games (Thailand) | 0% Buy/SellTax| CEX listing incoming |Alot of Future Partnerships Coming | Players earning dollars daily!" - Reddit] (Jul 7, 2023)</ref>.
|}


== Technical Details ==
"The pledge contract of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account. When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back."
"The pledge contract of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account. When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back."


"The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." "The staking contract of Pirate X Pirate was attacked by an attacker, resulting in the loss of the PXP token. When user deposit their PXP token into this contract, their token will be transferred into an EOA account. The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens. When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer and withdraw 9,681,000 PXP tokens."
"The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." "The staking contract of Pirate X Pirate was attacked by an attacker, resulting in the loss of the PXP token. When user deposit their PXP token into this contract, their token will be transferred into an EOA account. The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens. When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer and withdraw 9,681,000 PXP tokens."
=== BlockSecTeam Report ===
The BlockSetTeam reported about the situation on Twitter<ref name="blocksecteamtwitter-7268" />.<blockquote>1/5) The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack).
2/5) The staking contract of Pirate X Pirate (0x6912B19401913F1bd5020b3f59EE986c5792DA54) was attacked by an attacker, resulting in the loss of the PXP token.
3/5) When user deposit their PXP token into this contract, their token will be transferred into an EOA account (0x3b74a9cb5f1399b4a5a02559e67da37d450067b7). The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens.
4/5) When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer (0x7435e0e4c4d10988e8821dc4853d1db2eceb176d) and withdraw 9,681,000 PXP tokens.
5/5) The attacker dumped these tokens into the market, got a profit of about 212 BNB.</blockquote>
== Total Amount Lost ==
The total amount lost has been estimated at $83,000 USD.
<ref name="coinmarketcap-6470" />
Pirate X Pirate Smart Contract: <ref name="bscscan-7270" /> Staking Contract: <ref name="bscscan-7273" /> EOA Account: <ref name="bscscan-7274" />
212 BNB<ref name="quillhashmedium-7261" />


"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."
"The attacker [sold off] more than 9.6 million $PXP" "The attackers put these tokens on the market and made a profit of about 212 BNB."
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
== Immediate Reactions ==
=== Announcement By Pirate X Pirate Team ===
"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."
"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."


Line 21: Line 102:
"To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded."
"To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded."


"The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month."
=== Sincerest Apologies ===
The Pirate X Pirate team acknowledged the exploit on Twitter and offered their sincerest apologies to those affected<ref name="pxpnftsgametwitter-7265" />. This linked to a more detailed medium post<ref name="piratexpiratenftsgamemedium-7266" />.<blockquote>Our sincerest apologies for the hacking incident. The PXP Statement Regarding the Hacking Incident and Remedies is attached below.
 
Please accept our sincere apologies for the hacking incident recently taking place at 21:13 UTC. A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply.
 
Initially, PXP Team is implementing remedial measures as follows:
 
PXP Team has bought back the total of $PXP 9,681,000 which will be returned to the reward pool.
 
Such attack could happen due to the team’s utter carelessness to launch the conversion feature despite of its vulnerability. We deeply regret bypassing the inspection that should have been done by a white hat hacker as we intended to roll out the feature long-suspended as fast as we could. We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities.


"The estimated downtime was too long for us to consider the best option given our situation. We finally reached a conclusion to implement our contingency plan that would provide the most secure yet readily available solution in the meantime; The Withdrawal System will require you to submit a withdrawal request (converting $GOLD to $PXP) which will be verified and approved within 24 hours. Once approved, $PXP will be sent to your wallet. Players no longer need to pay gas fees for withdrawal. Players cannot convert $PXP to $GOLD for the time being."
To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded.


"A hearty thank to all of you who stay on board with us."
Finally, PXP Team is truly sorry for the mistakes that caused an uproar among our valued community. You will be informed about the updated plans soon.</blockquote>


This is a global/international case not involving a specific country.
=== Web3IsGoingGreat ===
Web3IsGoingGreat picked up and ran an article on the situation<ref name="web3isgoinggreat-7267" /><ref name=":0" />.<blockquote>The Pirate X Pirate blockchain gaming platform was exploited, with an attacker selling of more than 9.6 million $PXP. They were able to dump the tokens into the market for a profit of around 212 BNB ($78,000). In a blog post following the incident, Pirate X Pirate wrote, "Such attack could happen due to the team's utter carelessness to launch the conversion feature despite of its vulnerability. We deeply regret bypassing the inspection that should have been done by a white hat hacker as we intended to roll out the feature long-suspended as fast as we could. We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities." They also announced that they had bought back the total $PXP that were stolen, and would be undergoing an audit.</blockquote>


The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
== Ultimate Outcome ==


Include:


* Known history of when and how the service was started.
"The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month."
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.


Don't Include:
"The estimated downtime was too long for us to consider the best option given our situation. We finally reached a conclusion to implement our contingency plan that would provide the most secure yet readily available solution in the meantime; The Withdrawal System will require you to submit a withdrawal request (converting $GOLD to $PXP) which will be verified and approved within 24 hours. Once approved, $PXP will be sent to your wallet. Players no longer need to pay gas fees for withdrawal. Players cannot convert $PXP to $GOLD for the time being."
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.


== The Reality ==
"A hearty thank to all of you who stay on board with us."
This sections is included if a case involved deception or information that was unknown at the time. Examples include:


* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
=== A Hearty Thank You ===
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
Pirate X Pirate ultimately released a Tweet thanking their community and announcing their plans for the future<ref name="pxpnftsgametwitter-7263" /><ref name="piratexpiratenftsgamemedium-7264" />.<blockquote>Dear all Pirate Mateys,
{| class="wikitable"
|+Key Event Timeline - Pirate X Pirate Private Key Leak
!Date
!Event
!Description
|-
|March 8th, 2022 3:51:22 PM MST
|Main Event
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|-
|
|
|
|}


== Total Amount Lost ==
A hearty thank to all of you who stay on board with us. After the hacking incident, we have re-planned our schedules. Check out our new updates regarding the new withdrawal system and other features
The total amount lost has been estimated at $83,000 USD.


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month.</blockquote>Third Party Reports


== Immediate Reactions ==
<ref name="quillhashmedium-7261" />
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


== Ultimate Outcome ==
<ref name=":1" />
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?


== Total Amount Recovered ==
== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.
There do not appear to have been any funds recovered in this case.


What funds were recovered? What funds were reimbursed for those affected users?
== Ongoing Developments ==
 


== Ongoing Developments ==
TBD
What parts of this case are still remaining to be concluded?
== General Prevention Policies ==
Clearly, the issue here is that control over the smart contract needs to be in a multi-signature arrangement, to prevent a single individual being exploited or acting maliciously. All key holders need to be trained on how to properly protect their key.
== Individual Prevention Policies ==
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
The Pirate X Pirate smart contract should have been thoroughly audited and funds should have been under the control of a sufficiently strong multi-signature wallet. Users have a responsibility to exercise stronger diligence when using decentralized applications. More information should be requested from platforms.
 
{{Prevention:Individuals:Safe Smart Contract Usage}}


{{Prevention:Individuals:End}}
{{Prevention:Individuals:End}}


== Platform Prevention Policies ==
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
The primary issue here is that control over the smart contract needs to be in a multi-signature arrangement, to prevent a single individual being exploited or acting maliciously. All key holders also need to be trained on how to properly protect their key.


{{Prevention:Platforms:End}}
{{Prevention:Platforms:Implement Multi-Signature}}


== Regulatory Prevention Policies ==
Platforms will likely benefit from having a third party check over their setup and understanding.
{{Prevention:Regulators:Placeholder}}
 
{{Prevention:Regulators:End}}


== References ==
{{Prevention:Platforms:Regular Audit Procedures}}
<references><ref name="slowmist-2069">[https://hacked.slowmist.io/en/ SlowMist Hacked - SlowMist Zone] (Jun 26, 2021)</ref>


<ref name="piratexpirate-7262">[https://piratexpirate.io/ https://piratexpirate.io/] (Mar 17, 2022)</ref>
An industry insurance fund can assist with assessing validators and in the event of further issues.


<ref name="coinmarketcap-6470">[https://coinmarketcap.com/currencies/bnb/historical-data/ https://coinmarketcap.com/currencies/bnb/historical-data/] (Feb 15, 2022)</ref>
{{Prevention:Platforms:Establish Industry Insurance Fund}}


<ref name="pxpnftsgametwitter-7263">[https://twitter.com/PXPNFTsGame/status/1503692871874256897 @PXPNFTsGame Twitter] (Mar 18, 2022)</ref>
{{Prevention:Platforms:End}}


<ref name="piratexpiratenftsgamemedium-7264">[https://medium.com/@PirateXPirateNFTsGame/withdrawal-system-and-march-update-plans-f565b09990a2 https://medium.com/@PirateXPirateNFTsGame/withdrawal-system-and-march-update-plans-f565b09990a2] (Mar 18, 2022)</ref>
== Regulatory Prevention Policies ==
This issue could have been prevented by ensuring that authority was under multi-signature control, and that all operators were aware of the proper procedures to safeguard their private keys.


<ref name="pxpnftsgametwitter-7265">[https://twitter.com/PXPNFTsGame/status/1501578592475820032 @PXPNFTsGame Twitter] (Mar 18, 2022)</ref>
{{Prevention:Regulators:Platform Security Assessments}}


<ref name="piratexpiratenftsgamemedium-7266">[https://medium.com/@PirateXPirateNFTsGame/pxp-statement-regarding-the-hacking-incident-and-remedies-44dc97ee0352 https://medium.com/@PirateXPirateNFTsGame/pxp-statement-regarding-the-hacking-incident-and-remedies-44dc97ee0352] (Mar 18, 2022)</ref>
The insurance system is important, both to incentivize the selection of competent validators and to handle events which are unforeseen.


<ref name="web3isgoinggreat-7267">[https://web3isgoinggreat.com/single/2022-03-09-3 Pirate X Pirate blockchain gaming platform exploited, blames its team's "utter carelessness"] (Mar 18, 2022)</ref>
{{Prevention:Regulators:Establish Industry Insurance Fund}}


<ref name="blocksecteamtwitter-7268">[https://twitter.com/BlockSecTeam/status/1501474711599198211 @BlockSecTeam Twitter] (Mar 18, 2022)</ref>
{{Prevention:Regulators:End}}


== References ==
<references>
<ref name="slowmist-2069">[https://web.archive.org/web/20230425221549/https://hacked.slowmist.io/?c=&page=18 SlowMist Hacked - SlowMist Zone Archive April 25th, 2023 4:15:49 PM MDT] (Jun 26, 2021)</ref>
<ref name="piratexpirate-7262">https://piratexpirate.io/ (Mar 17, 2022)</ref>
<ref name="coinmarketcap-6470">https://coinmarketcap.com/currencies/bnb/historical-data/ (Feb 15, 2022)</ref>
<ref name="pxpnftsgametwitter-7263">[https://twitter.com/PXPNFTsGame/status/1503692871874256897 PXPNFTsGame - "A hearty thank to all of you who stay on board with us. After the hacking incident, we have re-planned our schedules." - Twitter] (Mar 18, 2022)</ref>
<ref name="piratexpiratenftsgamemedium-7264">[https://medium.com/@PirateXPirateNFTsGame/withdrawal-system-and-march-update-plans-f565b09990a2 Withdrawal System and March Update Plans - Pirate X Pirate Medium] (Mar 18, 2022)</ref>
<ref name="pxpnftsgametwitter-7265">[https://twitter.com/PXPNFTsGame/status/1501578592475820032 PXPNFTsGame - "Our sincerest apologies for the hacking incident. The PXP Statement Regarding the Hacking Incident and Remedies is attached below." - Twitter] (Mar 18, 2022)</ref>
<ref name="piratexpiratenftsgamemedium-7266">[https://medium.com/@PirateXPirateNFTsGame/pxp-statement-regarding-the-hacking-incident-and-remedies-44dc97ee0352 PXP Statement Regarding the Hacking Incident and Remedies - Pirate X Pirate Medium] (Mar 18, 2022)</ref>
<ref name="web3isgoinggreat-7267">[https://web3isgoinggreat.com/single/2022-03-09-3 Pirate X Pirate blockchain gaming platform exploited, blames its team's "utter carelessness" - Web3IsGoingGreat] (Mar 18, 2022)</ref>
<ref name="blocksecteamtwitter-7268">[https://twitter.com/BlockSecTeam/status/1501474711599198211 BlockSecTeam - "The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." - Twitter] (Mar 18, 2022)</ref>
<ref name="thebittimes-7269">[https://thebittimes.com/token-PXP-BSC-0x93c27727e72ec7510a06ea450366c1418c4ce547.html Pirate X Pirate( PXP ) info, Pirate X Pirate( PXP ) chart, market cap, and price | TheBitTimes.Com] (Mar 18, 2022)</ref>
<ref name="thebittimes-7269">[https://thebittimes.com/token-PXP-BSC-0x93c27727e72ec7510a06ea450366c1418c4ce547.html Pirate X Pirate( PXP ) info, Pirate X Pirate( PXP ) chart, market cap, and price | TheBitTimes.Com] (Mar 18, 2022)</ref>
 
<ref name="bscscan-7270">[https://bscscan.com/address/0x93c27727e72ec7510a06ea450366c1418c4ce547 Pirate X Pirate Smart Contract - BscScan] (Mar 18, 2022)</ref>
<ref name="bscscan-7270">[https://bscscan.com/address/0x93c27727e72ec7510a06ea450366c1418c4ce547 https://bscscan.com/address/0x93c27727e72ec7510a06ea450366c1418c4ce547] (Mar 18, 2022)</ref>
<ref name="bscscan-7271">[https://bscscan.com/tx/0xde5336456fbf568c009f5ff4961e2469bfae69c3425f34789190c264ba40ce96 Pirate X Pirate Exploit Transaction - BscScan] (Mar 18, 2022)</ref>
 
<ref name="bscscan-7272">[https://bscscan.com/tx/0x1306a5044ba7854d37e0f837daaeffd4e4f9cd2f76024307a4c427b9088dd7cc Smaller Test Exploit Transaction - BscScan] (Mar 18, 2022)</ref>
<ref name="bscscan-7271">[https://bscscan.com/tx/0xde5336456fbf568c009f5ff4961e2469bfae69c3425f34789190c264ba40ce96 https://bscscan.com/tx/0xde5336456fbf568c009f5ff4961e2469bfae69c3425f34789190c264ba40ce96] (Mar 18, 2022)</ref>
<ref name="bscscan-7273">[https://bscscan.com/address/0x6912B19401913F1bd5020b3f59EE986c5792DA54 Pirate X Pirate Staking Contract - BscScan] (Mar 18, 2022)</ref>
 
<ref name="bscscan-7274">[https://bscscan.com/address/0x3b74a9cb5f1399b4a5a02559e67da37d450067b7 Pirate X Pirate EOA Account - BSCScan] (Mar 18, 2022)</ref>
<ref name="bscscan-7272">[https://bscscan.com/tx/0x1306a5044ba7854d37e0f837daaeffd4e4f9cd2f76024307a4c427b9088dd7cc https://bscscan.com/tx/0x1306a5044ba7854d37e0f837daaeffd4e4f9cd2f76024307a4c427b9088dd7cc] (Mar 18, 2022)</ref>
<ref name="shinchanieoalertsmedium-7275">[https://shinchanieoalerts.medium.com/pirate-x-pirate-ama-summary-recap-with-shin-chan-community-af3448b2fe4c Pirate X Pirate Ama Summary Recap With Shin Chan Community - Shinchanieoalerts] (Mar 18, 2022)</ref>
 
</references>
<ref name="bscscan-7273">[https://bscscan.com/address/0x6912B19401913F1bd5020b3f59EE986c5792DA54 https://bscscan.com/address/0x6912B19401913F1bd5020b3f59EE986c5792DA54] (Mar 18, 2022)</ref>
 
<ref name="bscscan-7274">[https://bscscan.com/address/0x3b74a9cb5f1399b4a5a02559e67da37d450067b7 https://bscscan.com/address/0x3b74a9cb5f1399b4a5a02559e67da37d450067b7] (Mar 18, 2022)</ref>
 
<ref name="shinchanieoalertsmedium-7275">[https://shinchanieoalerts.medium.com/pirate-x-pirate-ama-summary-recap-with-shin-chan-community-af3448b2fe4c Pirate X Pirate Ama Summary Recap With Shin Chan Community] (Mar 18, 2022)</ref></references>

Latest revision as of 11:05, 10 July 2023

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Pirate X Pirate

The Pirate X Pirate NFT game suffered a breach that resulted in 212 BNB (~$83k USD) worth of funds being taken. The breach appears to be the result of a private key leak, and very limited details have been published on how the key may have leaked. The company has instead fired their development team and hired external contract auditors.

About Pirate X Pirate

[1][2][3][4][5][6]

"Pirate X Pirate is a Blockchain gaming platform with a pirate theme. It is a world where you earn through your adventures across the high seas. Recruit your crew, form your fleet, and test your prowess battling against other pirates to earn money. With your fleet, you will participate in building a pirate metaverse with its own self-contained economy."

The Reality

Uncertainty Around Developer Team

TBD - The team was later fired and replaced.

Lack Of Smart Contract Audit

TBD - Confirm that Pirate X Pirate was not audited.

What Happened

The private key of the Pirate X Pirate NFT project was used to extract a profit.

Key Event Timeline - Pirate X Pirate Private Key Leak
Date Event Description
January 20th, 2022 2:00:00 PM MST Shinchanieoalerts Interview Interview with Pirate X Pirate founding team[6].
March 8th, 2022 2:15:00 PM MST Test Transaction What appears to be a smaller test of the exploit[7]. TBD review SlowMist information[8]. This is the date that Pirate X Pirate attributes as the date of the exploit[9].
March 8th, 2022 3:51:22 PM MST Exploit Transaction The Pirate X Pirate smart contract is exploited[10]. "A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."[9]
March 9th, 2022 1:27:00 AM MST BlockSecTeam Twitter Thread The BlockSecTeam posts an analysis of the exploit on Twitter, suspecting that the private keys of the team have been breached[11].
March 9th, 2022 8:20:00 AM MST Sincerest Apologies Pirate X Pirate tweets promising their sincerest apologies for the recent hacking event[12] and provided a more detailed plan on their Medium[9]. TBD review Medium.
March 10th, 2022 4:00:00 PM MST Web3IsGoingGreat The Web3IsGoingGreat picks up the story and shares an article on the situation[13][14]. TBD story has changed over time?
March 11th, 2022 10:03:23 PM MST QuillAudits Includes Summary QuillAudits reports that PirateX experienced an attack where users' deposited tokens were redirected to an external account. However, when users withdrew their tokens, the funds were returned to them through the smart contract's Transferfrom function. The attacker managed to profit 212 BNB through this exploit[15].
March 15th, 2022 5:21:00 AM MDT Community Thank You Pirate X Pirate releases "[a] hearty thank to all of you who stay on board with us"[16] and provide a link to a Medium article with the schedule going forward[17]. TBD details from Medium.
June 9th, 2022 6:36:55 AM MDT Shared On Reddit With Audit A post about Pirate X Pirate is shared on Reddit, emphasizing the protocol being audited by Hacken[18].

Technical Details

"The pledge contract of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account. When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back."

"The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." "The staking contract of Pirate X Pirate was attacked by an attacker, resulting in the loss of the PXP token. When user deposit their PXP token into this contract, their token will be transferred into an EOA account. The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens. When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer and withdraw 9,681,000 PXP tokens."

BlockSecTeam Report

The BlockSetTeam reported about the situation on Twitter[11].

1/5) The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack).

2/5) The staking contract of Pirate X Pirate (0x6912B19401913F1bd5020b3f59EE986c5792DA54) was attacked by an attacker, resulting in the loss of the PXP token.

3/5) When user deposit their PXP token into this contract, their token will be transferred into an EOA account (0x3b74a9cb5f1399b4a5a02559e67da37d450067b7). The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens.

4/5) When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer (0x7435e0e4c4d10988e8821dc4853d1db2eceb176d) and withdraw 9,681,000 PXP tokens.

5/5) The attacker dumped these tokens into the market, got a profit of about 212 BNB.

Total Amount Lost

The total amount lost has been estimated at $83,000 USD.

[19]

Pirate X Pirate Smart Contract: [3] Staking Contract: [4] EOA Account: [5]

212 BNB[15]

"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."

"The attacker [sold off] more than 9.6 million $PXP" "The attackers put these tokens on the market and made a profit of about 212 BNB."


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

Announcement By Pirate X Pirate Team

"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."

"The attacker [sold off] more than 9.6 million $PXP" "The attackers put these tokens on the market and made a profit of about 212 BNB."

"PXP Team has bought back the total of $PXP 9,681,000 which will be returned to the reward pool." "We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities."

"To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded."

Sincerest Apologies

The Pirate X Pirate team acknowledged the exploit on Twitter and offered their sincerest apologies to those affected[12]. This linked to a more detailed medium post[9].

Our sincerest apologies for the hacking incident. The PXP Statement Regarding the Hacking Incident and Remedies is attached below.

Please accept our sincere apologies for the hacking incident recently taking place at 21:13 UTC. A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply.

Initially, PXP Team is implementing remedial measures as follows:

PXP Team has bought back the total of $PXP 9,681,000 which will be returned to the reward pool.

Such attack could happen due to the team’s utter carelessness to launch the conversion feature despite of its vulnerability. We deeply regret bypassing the inspection that should have been done by a white hat hacker as we intended to roll out the feature long-suspended as fast as we could. We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities.

To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded.

Finally, PXP Team is truly sorry for the mistakes that caused an uproar among our valued community. You will be informed about the updated plans soon.

Web3IsGoingGreat

Web3IsGoingGreat picked up and ran an article on the situation[13][14].

The Pirate X Pirate blockchain gaming platform was exploited, with an attacker selling of more than 9.6 million $PXP. They were able to dump the tokens into the market for a profit of around 212 BNB ($78,000). In a blog post following the incident, Pirate X Pirate wrote, "Such attack could happen due to the team's utter carelessness to launch the conversion feature despite of its vulnerability. We deeply regret bypassing the inspection that should have been done by a white hat hacker as we intended to roll out the feature long-suspended as fast as we could. We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities." They also announced that they had bought back the total $PXP that were stolen, and would be undergoing an audit.

Ultimate Outcome

"The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month."

"The estimated downtime was too long for us to consider the best option given our situation. We finally reached a conclusion to implement our contingency plan that would provide the most secure yet readily available solution in the meantime; The Withdrawal System will require you to submit a withdrawal request (converting $GOLD to $PXP) which will be verified and approved within 24 hours. Once approved, $PXP will be sent to your wallet. Players no longer need to pay gas fees for withdrawal. Players cannot convert $PXP to $GOLD for the time being."

"A hearty thank to all of you who stay on board with us."


A Hearty Thank You

Pirate X Pirate ultimately released a Tweet thanking their community and announcing their plans for the future[16][17].

Dear all Pirate Mateys,

A hearty thank to all of you who stay on board with us. After the hacking incident, we have re-planned our schedules. Check out our new updates regarding the new withdrawal system and other features

The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month.

Third Party Reports

[15]

[18]

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

The Pirate X Pirate smart contract should have been thoroughly audited and funds should have been under the control of a sufficiently strong multi-signature wallet. Users have a responsibility to exercise stronger diligence when using decentralized applications. More information should be requested from platforms.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary issue here is that control over the smart contract needs to be in a multi-signature arrangement, to prevent a single individual being exploited or acting maliciously. All key holders also need to be trained on how to properly protect their key.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Platforms will likely benefit from having a third party check over their setup and understanding.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

An industry insurance fund can assist with assessing validators and in the event of further issues.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This issue could have been prevented by ensuring that authority was under multi-signature control, and that all operators were aware of the proper procedures to safeguard their private keys.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

The insurance system is important, both to incentivize the selection of competent validators and to handle events which are unforeseen.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://piratexpirate.io/ (Mar 17, 2022)
  2. Pirate X Pirate( PXP ) info, Pirate X Pirate( PXP ) chart, market cap, and price | TheBitTimes.Com (Mar 18, 2022)
  3. 3.0 3.1 Pirate X Pirate Smart Contract - BscScan (Mar 18, 2022)
  4. 4.0 4.1 Pirate X Pirate Staking Contract - BscScan (Mar 18, 2022)
  5. 5.0 5.1 Pirate X Pirate EOA Account - BSCScan (Mar 18, 2022)
  6. 6.0 6.1 Pirate X Pirate Ama Summary Recap With Shin Chan Community - Shinchanieoalerts (Mar 18, 2022)
  7. Smaller Test Exploit Transaction - BscScan (Mar 18, 2022)
  8. SlowMist Hacked - SlowMist Zone Archive April 25th, 2023 4:15:49 PM MDT (Jun 26, 2021)
  9. 9.0 9.1 9.2 9.3 PXP Statement Regarding the Hacking Incident and Remedies - Pirate X Pirate Medium (Mar 18, 2022)
  10. Pirate X Pirate Exploit Transaction - BscScan (Mar 18, 2022)
  11. 11.0 11.1 BlockSecTeam - "The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." - Twitter (Mar 18, 2022)
  12. 12.0 12.1 PXPNFTsGame - "Our sincerest apologies for the hacking incident. The PXP Statement Regarding the Hacking Incident and Remedies is attached below." - Twitter (Mar 18, 2022)
  13. 13.0 13.1 Pirate X Pirate blockchain gaming platform exploited, blames its team's "utter carelessness" - Web3IsGoingGreat (Mar 18, 2022)
  14. 14.0 14.1 web3isgreat - "A trader ends up owing $3600 after an exchange mistakenly deposits 10 Bitcoin in their account" - Twitter (Apr 25, 2023)
  15. 15.0 15.1 15.2 Fantom Based Protocol Fantasm Suffers 2 6m Exploit - QuillAudits (Mar 17, 2022)
  16. 16.0 16.1 PXPNFTsGame - "A hearty thank to all of you who stay on board with us. After the hacking incident, we have re-planned our schedules." - Twitter (Mar 18, 2022)
  17. 17.0 17.1 Withdrawal System and March Update Plans - Pirate X Pirate Medium (Mar 18, 2022)
  18. 18.0 18.1 epuril - "Pirate X Pirate | Audited by Hacken | Pirate based P2E/P2P NFT Game |NFT Marketplace LIVE! | From the creators of Biggest Siam Board Games (Thailand) | 0% Buy/SellTax| CEX listing incoming |Alot of Future Partnerships Coming | Players earning dollars daily!" - Reddit (Jul 7, 2023)
  19. https://coinmarketcap.com/currencies/bnb/historical-data/ (Feb 15, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Pirate_X_Pirate_Private_Key_Leak&oldid=4780"