Axion Staking Inside Job: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/axionstakinginsidejob.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/axionstakinginsidejob.php}} | ||
{{Unattributed | {{Unattributed Sources}} | ||
[[File:Axionstaking.jpg|thumb|Axion Staking]]One developer modified the software, and later used an exploit they had introduced to remove funds. | [[File:Axionstaking.jpg|thumb|Axion Staking]]One developer modified the software, and later used an exploit they had introduced to remove funds. | ||
| Line 6: | Line 6: | ||
The exploit was not caught despite multiple auditors reviewing the code. The developer was dumb enough to exploit it immediately and had no concrete escape plan. | The exploit was not caught despite multiple auditors reviewing the code. The developer was dumb enough to exploit it immediately and had no concrete escape plan. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="cryptobriefing-576" /><ref name="hackmd-776" /><ref name="newsdotbitcoin-777" /><ref name="techloot-778" /><ref name="cryptobriefing-779" /><ref name="cryptobriefing-780" /><ref name="axionnetwork-781" /><ref name="axionnetworktwitter-782" /><ref name="axionnetworktwitter-783" /><ref name="axionnetworktwitter-784" /><ref name="axionnetworktwitter-785" /><ref name="docdroid-786" /><ref name="googledrive-787" /><ref name="ciphertrace-1152" /><ref name="slowmisthacked-678" /> | ||
<ref name="cryptobriefing-576" /><ref name="hackmd-776" /><ref name="newsdotbitcoin-777" /><ref name="techloot-778" /><ref name="cryptobriefing-779" /><ref name="cryptobriefing-780" /><ref name="axionnetwork-781" /><ref name="axionnetworktwitter-782" /><ref name="axionnetworktwitter-783" /><ref name="axionnetworktwitter-784" /><ref name="axionnetworktwitter-785" /><ref name="docdroid-786" /><ref name="googledrive-787" /><ref name="ciphertrace-1152" /><ref name="slowmisthacked-678" /> | |||
== About Axion Staking == | == About Axion Staking == | ||
| Line 71: | Line 70: | ||
!Description | !Description | ||
|- | |- | ||
|November 2nd, 2020 | |November 2nd, 2020 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 79: | Line 78: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 98: | Line 100: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
== Prevention Policies == | |||
This is another example which demonstrates just how challenging detecting problems in a smart contract is. | This is another example which demonstrates just how challenging detecting problems in a smart contract is. | ||
| Line 105: | Line 106: | ||
The proper storage of funds should be in a multi-signature wallet with offline storage. | The proper storage of funds should be in a multi-signature wallet with offline storage. | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
<references><ref name="cryptobriefing-576">[https://cryptobriefing.com/defi-project-akropolis-lost-2-million-heres-what-theyre-doing-about-it/ DeFi Project Akropolis Just Lost $2 Million. Here's What They're Doing About It. | Crypto Briefing] (May | <references><ref name="cryptobriefing-576">[https://cryptobriefing.com/defi-project-akropolis-lost-2-million-heres-what-theyre-doing-about-it/ DeFi Project Akropolis Just Lost $2 Million. Here's What They're Doing About It. | Crypto Briefing] (May 16, 2021)</ref> | ||
<ref name="hackmd-776">[https://hackmd.io/3mpGBcT2Qhaaw_L6OaNm4Q Axion Network Incident - HackMD] (May | <ref name="hackmd-776">[https://hackmd.io/3mpGBcT2Qhaaw_L6OaNm4Q Axion Network Incident - HackMD] (May 16, 2021)</ref> | ||
<ref name="newsdotbitcoin-777">[https://news.bitcoin.com/axions-launch-is-going-to-make-crypto-believers-out-of-mainstream-investors/ Axion's Launch is Going to Make Crypto-Believers out of Mainstream Investors – Sponsored Bitcoin News] (May | <ref name="newsdotbitcoin-777">[https://news.bitcoin.com/axions-launch-is-going-to-make-crypto-believers-out-of-mainstream-investors/ Axion's Launch is Going to Make Crypto-Believers out of Mainstream Investors – Sponsored Bitcoin News] (May 22, 2021)</ref> | ||
<ref name="techloot-778">[https://techloot.co.uk/meet-axion-cryptocurrency/ Meet Axion - Your Cryptocurrency Key to a Long-Term Income Stream | Tech Loot] (May | <ref name="techloot-778">[https://techloot.co.uk/meet-axion-cryptocurrency/ Meet Axion - Your Cryptocurrency Key to a Long-Term Income Stream | Tech Loot] (May 22, 2021)</ref> | ||
<ref name="cryptobriefing-779">[https://cryptobriefing.com/axion-attack-inside-job-certik-says/ Axion Attack Was an Inside Job, CertiK Says | Crypto Briefing] (May | <ref name="cryptobriefing-779">[https://cryptobriefing.com/axion-attack-inside-job-certik-says/ Axion Attack Was an Inside Job, CertiK Says | Crypto Briefing] (May 22, 2021)</ref> | ||
<ref name="cryptobriefing-780">[https://cryptobriefing.com/hex-airdrop-token-collapses-100-upon-delivery/ HEX Airdrop Token Collapses 100% on Delivery | Crypto Briefing] (May | <ref name="cryptobriefing-780">[https://cryptobriefing.com/hex-airdrop-token-collapses-100-upon-delivery/ HEX Airdrop Token Collapses 100% on Delivery | Crypto Briefing] (May 22, 2021)</ref> | ||
<ref name="axionnetwork-781">[https://axion.network/ Axion Network] (May | <ref name="axionnetwork-781">[https://axion.network/ Axion Network] (May 22, 2021)</ref> | ||
<ref name="axionnetworktwitter-782">[https://twitter.com/axion_network/status/1323326951063392256 @axion_network Twitter] (May | <ref name="axionnetworktwitter-782">[https://twitter.com/axion_network/status/1323326951063392256 @axion_network Twitter] (May 22, 2021)</ref> | ||
<ref name="axionnetworktwitter-783">[https://twitter.com/axion_network/status/1323670049278681088 @axion_network Twitter] (May | <ref name="axionnetworktwitter-783">[https://twitter.com/axion_network/status/1323670049278681088 @axion_network Twitter] (May 22, 2021)</ref> | ||
<ref name="axionnetworktwitter-784">[https://twitter.com/axion_network/status/1323665629077929984 @axion_network Twitter] (May | <ref name="axionnetworktwitter-784">[https://twitter.com/axion_network/status/1323665629077929984 @axion_network Twitter] (May 22, 2021)</ref> | ||
<ref name="axionnetworktwitter-785">[https://twitter.com/axion_network/status/1323810411821428737 @axion_network Twitter] (May | <ref name="axionnetworktwitter-785">[https://twitter.com/axion_network/status/1323810411821428737 @axion_network Twitter] (May 22, 2021)</ref> | ||
<ref name="docdroid-786">[https://www.docdroid.net/c39ie02/next-steps-for-axion-1-pdf Next Steps for Axion (1).pdf | DocDroid] (May | <ref name="docdroid-786">[https://www.docdroid.net/c39ie02/next-steps-for-axion-1-pdf Next Steps for Axion (1).pdf | DocDroid] (May 22, 2021)</ref> | ||
<ref name="googledrive-787">[https://drive.google.com/file/d/1RXCQNOwNUbUQTD34bctcNb29Y-vRTJxU/view Press Release_RNB.pdf - Google Drive] (May | <ref name="googledrive-787">[https://drive.google.com/file/d/1RXCQNOwNUbUQTD34bctcNb29Y-vRTJxU/view Press Release_RNB.pdf - Google Drive] (May 22, 2021)</ref> | ||
<ref name="ciphertrace-1152">[https://ciphertrace.com/wp-content/uploads/2021/01/CipherTrace-Cryptocurrency-Crime-and-Anti-Money-Laundering-Report-012821.pdf CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020] (Jun | <ref name="ciphertrace-1152">[https://ciphertrace.com/wp-content/uploads/2021/01/CipherTrace-Cryptocurrency-Crime-and-Anti-Money-Laundering-Report-012821.pdf CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020] (Jun 20, 2021)</ref> | ||
<ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May | <ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 18, 2021)</ref></references> | ||
Latest revision as of 11:57, 2 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
One developer modified the software, and later used an exploit they had introduced to remove funds.
The exploit was not caught despite multiple auditors reviewing the code. The developer was dumb enough to exploit it immediately and had no concrete escape plan.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About Axion Staking
"Axion marketed itself as an investment vehicle through which users could stake currency for a set period of time in exchange for high-yield returns. The “time-lock” nature of the investment meant users would be unable to access funds while staking." "Axion represents a new breed of cryptocurrency. It’s not a utility token or an attempt at replacing fiat currencies. It’s an investment vehicle that’s aimed at one of the biggest untapped markets left in the crypto-world: mainstream income investors." "It aims to lure both crypto-investing veterans and traditional investors with a stable and reliable return rate that’s unheard of in all but the riskiest markets. It’s because Axion isn’t just a cryptocurrency. It’s a time-locked investment system that’s purpose-built to generate a stable inflationary curve and to fight volatility to protect investors’ principal and deliver a high ROI."
"Axion is an ethical, community-driven cryptocurrency that rewards long-term investing with high-yield interest rates and weekly dividends." "Axion is a new cryptocurrency that’s aimed at investors who would like a crypto-powered investment vehicle that offers stable returns with less risk of precipitous losses. Axion does this by basing its prices on inflation – at an astounding 8% yearly inflation distributed to staked amounts, and by flipping the traditional cryptocurrency model on its head. That’s because it operates by paying rewards to holders of the currency that agree not to sell it for a defined period, rather than paying rewards to miners as traditional cryptocurrencies do."
"Rock’n’Block insisted on all sorts of third-party audits. As a result, two thorough code reviews were conducted by established security companies, Hacken and Certik, who detected no critical errors that could have affected the project. Besides, the source code of Axion contracts was open access because the project is open source."
"On the 2nd of November 2020 at approximately 11:00 AM +UTC a hacker managed to mint around ~80 billion AXN tokens by utilizing the unstake function of the Axion Staking contract." "[O]ver 80 billion AXN tokens were unexpectedly minted and sold, netting the attacker more than 1,300 ETH worth over $500,000 at the time of writing." "The price of AXN immediately collapsed 100% from $0.00034079 to $0, according to CoinGecko."
"The Axion team stated that this was due to an exploit in the code, which was allegedly audited by five separate auditors before the project’s mainnet, according to the Axion website." "Despite claims that five different auditors cleared the code, an alleged exploit just sunk the price by 100%." "CertiK, a blockchain auditing outfit, has commented on yesterday’s Axion hack, revealing that the attacker exploited the project’s third-party dependencies. The auditors added that someone within the project likely carried out the attack."
"Actors involved in the Axion project injected malicious code prior to Axion’s deployment by altering its OpenZeppelin dependencies. The injected code allowed the attacker to freely mint 80 billion AXN tokens."
"To prepare for the attack, the hacker circulated 2.1 ETH on Tornado.cash for privacy. The attacker also purchased 700,000 HEX2T tokens as part of a “smokescreen,” CertiK says."
"Though the attack was sizable in terms of its dollar value, it is notable primarily because the hacker followed an unusual line of attack. It remains to be seen if hackers can imitate this line attack and carry it out against other blockchain projects."
"As you may have heard, RocknBlock was the development team hired by The Axion Foundation to build and deploy our new currency. Axion had three technical audits and two economic audits. The Axion Foundation, development team, and audit firms confirmed the code security and felt confident in the launch."
"At the moment, it is obvious that one of the engineers consciously substituted the code (which was tested and audited) for his own code containing the vulnerability. A few hours after the deployments, the suspect verified the code on etherscan, thus proving malicious intent - only with source code with a vulnerability can the contract be verified." "Then he took advantage of the vulnerability and withdrew the funds."
"For the mainnet launch, RocknBlock gave the deployment permission to one of their subcontractors. The Axion Foundation was not aware of this. This subcontractor, named Ilya Maximovich Solovyanov, injected malicious code into the clean and audited code. He then used an exploit to mint and sell 76 Billion tokens, thus draining the Axion uniswap liquidity pool."
"While this event has put a major speed bump on our path, Axion will relaunch stronger andmore resilient than ever. Everyone involved will be treated fairly. Everyone involved will be fairly compensated to the best of our abilities." "This was not a scam by Axion Foundation, and it was likely not one by RocknBlock, either. This was a single bad actor named Ilya Maximovich Solovyanov." "The RnB company has been working with him since February 2020. At the moment he is refusing to cooperate and has deleted his messages and social profiles." "The team is working closely with the local law enforcement to recover the funds this hacker and his group have already stolen."
"We will relaunch Axion and everyone who was holding or staking AXN/HEX2T will be able to claim at a 1:1 ratio." "We plan to relaunch as soon as feasibly possible and contact publications to share the full story. The audited code is sound. We simply need to figure out the best course to compensate those who staked, and build the pre-incident snapshot. This should not take long. We will have estimated timelines within the next 24 hours. If building it will take too long, we will do a manual process." "Everyone will be compensated as fairly and fully as possible. We’re still here and more resilient than ever. One man can not take us down, this community is strong. We will persist and grow stronger than ever."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| November 2nd, 2020 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $27,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
This is another example which demonstrates just how challenging detecting problems in a smart contract is.
Decentralized finance is a brand new area, and smart contracts are effectively hot wallets. They are not, in any way guaranteed in their security, even if audited.
The proper storage of funds should be in a multi-signature wallet with offline storage.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ DeFi Project Akropolis Just Lost $2 Million. Here's What They're Doing About It. | Crypto Briefing (May 16, 2021)
- ↑ Axion Network Incident - HackMD (May 16, 2021)
- ↑ Axion's Launch is Going to Make Crypto-Believers out of Mainstream Investors – Sponsored Bitcoin News (May 22, 2021)
- ↑ Meet Axion - Your Cryptocurrency Key to a Long-Term Income Stream | Tech Loot (May 22, 2021)
- ↑ Axion Attack Was an Inside Job, CertiK Says | Crypto Briefing (May 22, 2021)
- ↑ HEX Airdrop Token Collapses 100% on Delivery | Crypto Briefing (May 22, 2021)
- ↑ Axion Network (May 22, 2021)
- ↑ @axion_network Twitter (May 22, 2021)
- ↑ @axion_network Twitter (May 22, 2021)
- ↑ @axion_network Twitter (May 22, 2021)
- ↑ @axion_network Twitter (May 22, 2021)
- ↑ Next Steps for Axion (1).pdf | DocDroid (May 22, 2021)
- ↑ Press Release_RNB.pdf - Google Drive (May 22, 2021)
- ↑ CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20, 2021)
- ↑ SlowMist Hacked - SlowMist Zone (May 18, 2021)