PERI Finance ChainSwap Breach

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 21:50, 22 February 2023 by Azoundria (talk | contribs)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

PERI Finance

PERI Finance is a derivates protocol and liquidity provider. Their token used ChainSwap to exist on multiple blockchains, which required some funds to be stored in the smart contract hot wallet.

The ChainSwap bridge was hacked, and the attacker was able to obtain the tokens, some of which were sold. The platform froze the affected funds relatively quickly, preventing their further sale. PERI Finance plans to build their own bridge service to replace ChainSwap.

This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27]

About PERI Finance

"PERI Finance is a decentralized cross-chain synthetic issuance and derivative exchange protocol that provides unlimited liquidity on Polkadot network. It gives an opportunity to access a wide range of both traditional financial and crypto assets in the forms of leveraged and none-leveraged synthetic products. We empower you with lower GAS fee, speedy transaction, and ample security from front-running or flash loan."

"PERI Finance is a decentralized cross-chain synthetic issuance and derivative exchange protocol that provides unlimited liquidity on Polkadot network."

"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain." "The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC."

Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."

"PERI Finance dev team noticed that hacker attacked ChainSwap’s contracts and stole the token of more than 10 projects, including PERI Finance. As of right now, PERI Finance Dev team decided to block the hacker’s contract address in order to prevent additional transfers."

"The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."

"PERI Finance successfully blocked the hacker’s contract address and now you can transfer PERI on Ethereum Mainnet." "The Peri Finance project owner tweeted that due to the Chainwap breach, the team has withdrawn all liquidity from Uniswap and Pancakeswap, in order to prevent a hacker from selling his tokens and running out of liquidity."

"PERI Finance team immediately realized the hacking issue and the team working around the clock to ensure all our users and stakeholders not to involved in this incident. Our devoted team found that there was no damage done to any of our users and stakeholders. The team has rapidly requested the Ethereum network to block the hacker’s smart contract address in order to prevent the transaction that can cause the price drops."

"The attacker has stolen about 61,000 PERI from ChainSwap and sold 10,000 PERI on MEXC. PERI Finance bought the dumped PERI on MEXC which balanced out the market. The attacker still took control of nearly 51,000 $PERI on the Ethereum mainnet and tried to sell additional PERI on other CEX. However, our team urgently blocked the contract address and requested the Gateio and MEXC to close transfers to ensure additional damage. Those of 51,000 PERI are frozen and considered as burned in total supply circulations."

"Chainswap said it had already repurchased a small amount of the affected tokens from the market and returned the contract wallet. The rest will be paid out in full by the Chainswap vault." "ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects." "In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety."

"The Peri Finance project owner tweeted that due to the Chainwap breach, the team has withdrawn all liquidity from Uniswap and Pancakeswap, in order to prevent a hacker from selling his tokens and running out of liquidity."

"For now, Chainswap has temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."

“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.

"ChainSwap is excited to announce that we have successfully integrated with Anyswap and Chainswap bridge is now live. We thank our community for its patience during the last few weeks."

"PERI Finance will not integrate with ChainSwap anymore and to prevent the hacking issues from the hackers, PERI Finance dev team decided to deploy its own bridge systems for all networks. This development is now our top priority and we will announce the date of deployment as soon as detailed roadmap comes out."

"[S]tolen token will be replaced it through our newly deployed BSC bridge."

"While we were discussing about staking rewards distributes in coming week, we need to thoroughly consider an issue that PERI BEP20 holders cannot participate in the staking service due to ChainSwap’s hacking issue. Currently BSC bridge is suspended and they have no way to transfer their PERI to polygon network which at this moment, PERI Finance’s staking dApp only supports the polygon network. As such, we will commence a 1:1 swap for all PERI BEP20 holders to our PERI Matic ERC20."

"Our team is dedicated to understanding the core vulnerability of this attack and still will continue to investigate with ChainSwap directly."

"The Staking dApp is still alive and it is securely checked. We have audited by CertiK and established Bug Bounty Programs for users to find any defect. We take these types of situations very seriously, and are actively working to address all the issues to make safe environment."

"PERI trading continued on all DEXs and CEXs. We also newly listed on XT.com to open more trading opportunities for the users."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - PERI Finance ChainSwap Breach
Date Event Description
July 11th, 2021 12:00:00 AM Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited.

In this situation, there was luckily not much taken, and it looks like it has been reimbursed. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts). Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.

References

  1. Chainswap Black Sunday, over 20 DEFI projects were stolen - 律动BlockBeats (Aug 24, 2021)
  2. ChainSwap Exploit 11 July 2021 Post-Mortem | by ChainSwap | Medium (Aug 24, 2021)
  3. MappableToken | 0x06c24002f43e3AF904EeEc581734EA3A7DbF355E (Aug 24, 2021)
  4. ChainSwap Exploit Leads to Multi-Million Loss For DeFi Tokens - Decrypt (Aug 24, 2021)
  5. @chain_swap Twitter (Aug 24, 2021)
  6. Explained: The ChainSwap Hack (July 2021) - Halborn (Aug 24, 2021)
  7. $8 Million Lost in Major ChainSwap Exploit | Crypto Briefing (Aug 24, 2021)
  8. ChainSwap re-launch, we are live. ChainSwap is excited to announce that… | by ChainSwap | Medium (Aug 29, 2021)
  9. Rekt - ChainSwap - REKT (Aug 29, 2021)
  10. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  11. LET'S PYNTHS (Sep 15, 2021)
  12. Peri Finance Overview - BTA Ventures (Sep 17, 2021)
  13. Important Notice Regarding Chainswap Hack (Sep 21, 2021)
  14. Address 0xEda5066780dE29D00dfb54581A707ef6F52D8113 | Etherscan (Sep 21, 2021)
  15. Notice Peri Token Swap For Bep20 Holders (Sep 21, 2021)
  16. Peri Finance Dapp Claim Is Live Details And Claim Schedule (Sep 21, 2021)
  17. Important Notice 2 Chainswap Hack (Sep 21, 2021)
  18. Bi Weekly Report Peri Finance (Sep 21, 2021)
  19. June Report Peri Finance (Sep 21, 2021)
  20. @PERIfinance Twitter (Sep 21, 2021)
  21. @PERIfinance Twitter (Sep 21, 2021)
  22. @PERIfinance Twitter (Sep 21, 2021)
  23. @PERIfinance Twitter (Sep 21, 2021)
  24. @PERIfinance Twitter (Sep 21, 2021)
  25. @PERIfinance Twitter (Sep 21, 2021)
  26. Chainswap Post Mortem Deep Dive Into The Exploit (May 7, 2022)
  27. Random Numbers Don’t Lie: A Closer Technical Look into Recent DeFi Hacks (May 7, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=PERI_Finance_ChainSwap_Breach&oldid=2613"