Sunray Finance Malicious Upgrade And Token Minting
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Sunray Finance offered a decentralized exchange on the Arbitrum blockchain. They claimed to have the backing of Japan's SoftBank, and their Twitter links to the SoftBank website, however SoftBank does not appear to have officially provided a public endorsement of their project. On October 29th, 2024, a new upgrade took place on their smart contract. The upgrade allowed for the minting of a massive number of tokens, which were immediately swapped. It is alleged that this activity has nothing to do with the Sunray Finance team and that the private key was compromised. It appears that a large chunk of the potentialy loot was lost to an arbitrage bot, which managed to insert an arbitrage trade, exploiting the difference in two separate liquidity pools. However, the attacker still made off with close to $3m. The Sunray Finance team appears to be working with the Binance security team on a potential recovery, however there have been no new updates since early November. The Sunray Finance website is presently offline, however their Twitter account still exists.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]
About Sunray Finance
"Sunray DEX is a new attempt at building a blockchain-based market on Arbitrum. The DEX was created with the involvement of SoftBank, though the project is not listed on its portfolio page. The Sunray DEX X account also communicated in a way that singled it out as a crypto outsider, taking a long time to launch in a dynamic environment where new tokens and DEX build up their activity much faster."
"SUN is a reserve currency that provides an open financial service platform. Focus on co building SUNRAYDEX's global business, supported by SoftBank.TBCAsoft."
"The Sunray DEX has a landing page, but most of its features are still inactive. The Sunray Finance protocol promised an extremely high passive income of 299% for SUN, with the addition of the ARC governance token."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"SUNRAY FINANCE experienced a private key compromise, allowing the exploiter to gain control of the SUN and ARC tokens and sell them off, draining the funds from DEX pairs. So far, the attacker has stolen approximately $2.855 million."
| Date | Event | Description |
|---|---|---|
| September 4th, 2024 1:53:24 AM MDT | Last Capture Of Sunray Finance Website | The last capture of the Sunray Finance website, which appears to be offline. |
| October 29th, 2024 9:45:06 PM MDT | Smart Contract Upgraded | The smart contract is upgraded to a malicious version, which allows for the minting of new SUN tokens. |
| October 29th, 2024 9:46:35 PM MDT | Malicious Token Generation | The new malicious smart contract mints 200,000,000,000,000,000,000,000 SUN token. |
| October 29th, 2024 9:47:37 PM MDT | Newly Minted Token Swap | The attacker swaps half of the newly minted tokens using one of the main liquidity providers. In the same block, an arbitrage bot automatically swaps using the other liquidity option. Multiple sources claim that the attacker overlooked this second source of liquidity, however the attacker maintained half of their SUN tokens, suggesting they actually intended to swap on both liquidity pools. |
| October 30th, 2024 5:15:00 AM MDT | Transfer Update Post | The team reports that they "are currently working hard to restore" "SUN and ARCToken treasury assets" which were transfered at noon that day. |
| October 30th, 2024 3:20:18 PM MDT | CryptoPolitan News Article | According to CryptoPolitan, "Neither Sunray Finance nor Sunray Swap have reported a hack through their channels. The investigation is ongoing, as the native SUN token is now practically worthless. Sunray Finance claimed its smart contracts were audited, but the project’s social media suggest it was not prepared enough for the latest DEX and Web3 challenges and attacks." |
| October 30th, 2024 8:24:00 PM MDT | TenArmor Alert Posted | TenArmor posts an alert about the suspicious attack, with losses estimated at $2.7m. |
| October 31st, 2024 8:46:00 AM MDT | Update Posted Twitter | The Sunray Finance team posts an update with an official statement about the exploit and path forward. |
| November 4th, 2024 11:11:00 PM MST | Another Twitter Update | The Sunray Finance team posts to notify that they are wroking with the Binance security team. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $2,885,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Decentralized exchange Sunray Finance has been drained of $2.855 million due to a private key compromise, blockchain security firm CertiK reported on X via its CertiK Alert account. The hacker acquired ownership of SUN and ARC tokens and minted a large number of tokens before dumping them."
"Perpetuals trading protocol Sunray Finance on Arbitrum was exploited for $2.7 million on Oct. 30, when an attacker managed to upgrade the protocol’s contract and mint two-hundred sextillion (200,000,000,000 trillion) of the protocol’s native SUN token, according to a report from blockchain security firm TenArmor.
The attacker subsequently swapped half of the tokens for $2.1 million worth of Tether (USDT). The attack collapsed the SUN price.
The exploiter appears to have overlooked the fact that there was a second liquidity pool for SUN. In the very next block, an arbitrage bot purchased approximately 90 sextillion SUN from the pool that the attacker had dumped the coins into, which it then sold into the second pool at a profit of approximately $560,000 worth of Ether (ETH). This collapsed the price in the second pool as well."
Ultimate Outcome
"Sunray Treasury Asset Transfer Statement, Treasury as a public asset of the community, is secure, transparent, publicly traceable, and we are accelerating and working hard to recover all data. Please be patient and wait for specific details"
"At present, we have contacted the Binance/BM security team and everyone is patiently waiting. We are actively handling the work related to this incident and believe that there will be results soon"
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://cointelegraph.com/news/btc-scammers-sunray-finance-crypto-sec (Accessed Dec 6, 2024)
- ↑ @MatchSystems Twitter (Accessed Dec 6, 2024)
- ↑ CoinNess (Accessed Dec 6, 2024)
- ↑ https://www.cryptopolitan.com/malicious-smart-contract-causes-2-8m-in-sun-token-losses-on-arbitrum/ (Accessed Dec 6, 2024)
- ↑ SUNRAY (Accessed Dec 6, 2024)
- ↑ @SUNRAY_DEX Twitter (Accessed Dec 6, 2024)
- ↑ SUNRAY private key leaked, attackers have stolen $2.855 million - ChainCatcher (Accessed Dec 6, 2024)
- ↑ Sunray Finance hacked for $2.7 million (Accessed Dec 6, 2024)
- ↑ @TenArmorAlert Twitter (Accessed Dec 6, 2024)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Dec 6, 2024)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Dec 6, 2024)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Dec 6, 2024)
- ↑ Arbitrum One Transaction Hash (Txhash) Details | Arbitrum One (Accessed Dec 6, 2024)
- ↑ @SUNRAY_DEX Twitter (Accessed Dec 6, 2024)
- ↑ @SUNRAY_DEX Twitter (Accessed Dec 6, 2024)
- ↑ SoftBank Portfolio | CryptoRank.io (Accessed Dec 6, 2024)
- ↑ @SUNRAY_DEX Twitter (Accessed Dec 6, 2024)
- ↑ @SUNRAY_DEX Twitter (Accessed Dec 6, 2024)