EOS SX Vault Breach
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
The EOS SX Vault is one of the largest smart contracts on the EOS chain. A hacker was able to exploit this smart contract, and steal significant funds.
The negotiation was to offer the attacker $100k to return the funds, which he refused. Rather than find a way to liquidate them and bring them off-chain, he split them into a lot of smaller accounts.
However, EOS as a chain contains a mechanism that allows funds to be seized by a community consensus. This was undertaken through a vote of the block producers, where they agreed to revert the damage, and take back the funds from the hacker to be distributed.
Compromised funds were ultimately distributed back to affected users.
This is a global/international case not involving a specific country.
About EOS SX Vault
"Vaults.sx is a yield aggregator where users can deposit EOS or USDT in return for interest-bearing SXEOS/SXUSDT tokens. The deposited tokens are then available in the flash.sx contract for flashloans and aggregate fees. Finally, SX tokens can be redeemed for a pro-rata share of the underlying funds + aggregated fees again."
"SX aims to build secure & reliable financial blockchain protocols for EOSIO blockchains." "SX Vaults follow interest yielding strategies that are designed to maximize the yield of the deposited asset and minimize risk."
"The vaults.sx and flash.sx smart contracts were open-source, MSIGed, and passed security audits, however the re-entry exploit was not identified."
"On May 14th, approximately 1.2M EOS and 462k USDT were stolen via a re-entry attack exploit from the smart contract of flash.sx, the flash loan service of SX Vault." "Approximately 1.2M EOS and 462,000 USDT was stolen in a re-entry attack exploit on the flash.sx flash loan smart contract that began on May 14 at 11:28 UTC."
"The vaults.sx contract on EOS mainnet has been exploited through a re-entrancy attack. 1,180,142.5653 EOS (~13M USD) and 461,796.8968 USDT were stolen making this the biggest hack on EOS."
"After a few hours, around 2:00 UTC, the Block Producers reached consensus, and through a Multi-Signature transaction they were able to change the owner and active permissions of all accounts created by the hacker in favor of the eosio.prods account."
"In this way they were able to regain control of all funds, which will soon be returned to depositors, without the need for a Hard Fork and creating a precedent to protect the intent of the smart contract also in favor of users."
"All of the funds are safe under control of eosio.prods and will be returned to depositors."
"Please let this letter serve as my resignation as CEO of EOS Nation effective immediately. I no longer feel as though I can do the best possible job for EOS Nation and the EOS public network and must resign my position." "Sincerely Yours, Yves La Rose"
On May 16 at "22:49 the thief publicly apologises and consents to nulling of keys." "Sorry for this incident, due to the lack of good communication, it caused unnecessary harm, I agree to bps to change my key , I ask for their forgiveness for those who have been hurt this time."
On May 17 at "10:32 executed 6/10 MSIG to remove the authority of the flash loan contract so that funds can be safely returned to flash.sx."
"To our knowledge, there has never been a prior circumstance in EOS where funds have been stolen due to an exploit of a smart contract that has been open-sourced, audited, and MSIGed. With the funds distributed across 246 accounts containing roughly 5000 EOS each, the funds were at risk of exiting the network via no-KYC exchanges at any moment."
"Failing to protect property rights in this instance could have had drastic consequences and result in a loss of faith in DeFi on EOS. As was the case with the Bitcoin rollback, the Ethereum DAO hack, and the HIVE fork, history has shown that the chain that protects property rights is the one that survives."
"With the consent of the account owner, we propose the block producers sign the MSIG to transfer all of the recovered funds back to the originating flash.sx account, under the authority of the current 6/10 custodians."
"Upon the retrieval of the funds, two historical snapshots will be published to easily identify SXEOS & SXUSDT token holders prior & after the event. Token holders with no change in their balance will be granted the posted value rate, token holders which have sold, withdrawn or moved their tokens will be reviewed on a case by case basis."
"Failing to protect property rights in this instance could have had drastic consequences and result in a loss of faith in DeFi on EOS. As was the case with the Bitcoin rollback, the Ethereum DAO hack, and the HIVE fork, history has shown that the chain that protects property rights is the one that survives."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| May 14th, 2021 12:00:00 AM | First Event | This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
It is unknown how much was recovered.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
In the end, it was a multi-signature agreement which returned the funds. This is similar to the recommendation to store funds in an offline multi-signature wallet.
Were the contract to simply have large fund withdrawals wait to be approved from an offline multi-signature wallet, this would act as a check to prevent large loss.
References
EOS Vault SX Hack (May 19)
History Was Made - SX Vault Hacked - Stolen Funds Seized (May 25)
Vaults.sx funds are safe | EOS Nation | EOS Block Producer (May 25)
Vaults.SX Homepage (May 25)
Vaults.sx Retrospective | EOS Nation | EOS Block Producer (May 25)
my apology : eos (May 25)
GitHub - stableex/sx.vaults: SX Vaults (May 26)
SX · GitHub (May 26)
461,796.8969 USDT Were Stolen, Making This The Biggest Hack On EOS (May 26)
EOSX Hack (May 26)
eosq: High-Precision Block Explorer (May 26)
VaultSX Hack Lessons Learned and Thoughts (May 26)
@go_eos Twitter (May 26)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10)
SlowMist Hacked - SlowMist Zone (Nov 7)