Axion Staking Inside Job

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Axion Staking

One developer modified the software, and later used an exploit they had introduced to remove funds.

The exploit was not caught despite multiple auditors reviewing the code. The developer was dumb enough to exploit it immediately and had no concrete escape plan.

This is a global/international case not involving a specific country.

About Axion Staking

"Axion marketed itself as an investment vehicle through which users could stake currency for a set period of time in exchange for high-yield returns. The “time-lock” nature of the investment meant users would be unable to access funds while staking." "Axion represents a new breed of cryptocurrency. It’s not a utility token or an attempt at replacing fiat currencies. It’s an investment vehicle that’s aimed at one of the biggest untapped markets left in the crypto-world: mainstream income investors." "It aims to lure both crypto-investing veterans and traditional investors with a stable and reliable return rate that’s unheard of in all but the riskiest markets. It’s because Axion isn’t just a cryptocurrency. It’s a time-locked investment system that’s purpose-built to generate a stable inflationary curve and to fight volatility to protect investors’ principal and deliver a high ROI."

"Axion is an ethical, community-driven cryptocurrency that rewards long-term investing with high-yield interest rates and weekly dividends." "Axion is a new cryptocurrency that’s aimed at investors who would like a crypto-powered investment vehicle that offers stable returns with less risk of precipitous losses. Axion does this by basing its prices on inflation – at an astounding 8% yearly inflation distributed to staked amounts, and by flipping the traditional cryptocurrency model on its head. That’s because it operates by paying rewards to holders of the currency that agree not to sell it for a defined period, rather than paying rewards to miners as traditional cryptocurrencies do."

"Rock’n’Block insisted on all sorts of third-party audits. As a result, two thorough code reviews were conducted by established security companies, Hacken and Certik, who detected no critical errors that could have affected the project. Besides, the source code of Axion contracts was open access because the project is open source."

"On the 2nd of November 2020 at approximately 11:00 AM +UTC a hacker managed to mint around ~80 billion AXN tokens by utilizing the unstake function of the Axion Staking contract." "[O]ver 80 billion AXN tokens were unexpectedly minted and sold, netting the attacker more than 1,300 ETH worth over $500,000 at the time of writing." "The price of AXN immediately collapsed 100% from $0.00034079 to $0, according to CoinGecko."

"The Axion team stated that this was due to an exploit in the code, which was allegedly audited by five separate auditors before the project’s mainnet, according to the Axion website." "Despite claims that five different auditors cleared the code, an alleged exploit just sunk the price by 100%." "CertiK, a blockchain auditing outfit, has commented on yesterday’s Axion hack, revealing that the attacker exploited the project’s third-party dependencies. The auditors added that someone within the project likely carried out the attack."

"Actors involved in the Axion project injected malicious code prior to Axion’s deployment by altering its OpenZeppelin dependencies. The injected code allowed the attacker to freely mint 80 billion AXN tokens."

"To prepare for the attack, the hacker circulated 2.1 ETH on Tornado.cash for privacy. The attacker also purchased 700,000 HEX2T tokens as part of a “smokescreen,” CertiK says."

"Though the attack was sizable in terms of its dollar value, it is notable primarily because the hacker followed an unusual line of attack. It remains to be seen if hackers can imitate this line attack and carry it out against other blockchain projects."

"As you may have heard, RocknBlock was the development team hired by The Axion Foundation to build and deploy our new currency. Axion had three technical audits and two economic audits. The Axion Foundation, development team, and audit firms confirmed the code security and felt confident in the launch."

"At the moment, it is obvious that one of the engineers consciously substituted the code (which was tested and audited) for his own code containing the vulnerability. A few hours after the deployments, the suspect verified the code on etherscan, thus proving malicious intent - only with source code with a vulnerability can the contract be verified." "Then he took advantage of the vulnerability and withdrew the funds."

"For the mainnet launch, RocknBlock gave the deployment permission to one of their subcontractors. The Axion Foundation was not aware of this. This subcontractor, named Ilya Maximovich Solovyanov, injected malicious code into the clean and audited code. He then used an exploit to mint and sell 76 Billion tokens, thus draining the Axion uniswap liquidity pool."

"While this event has put a major speed bump on our path, Axion will relaunch stronger andmore resilient than ever. Everyone involved will be treated fairly. Everyone involved will be fairly compensated to the best of our abilities." "This was not a scam by Axion Foundation, and it was likely not one by RocknBlock, either. This was a single bad actor named Ilya Maximovich Solovyanov." "The RnB company has been working with him since February 2020. At the moment he is refusing to cooperate and has deleted his messages and social profiles." "The team is working closely with the local law enforcement to recover the funds this hacker and his group have already stolen."

"We will relaunch Axion and everyone who was holding or staking AXN/HEX2T will be able to claim at a 1:1 ratio." "We plan to relaunch as soon as feasibly possible and contact publications to share the full story. The audited code is sound. We simply need to figure out the best course to compensate those who staked, and build the pre-incident snapshot. This should not take long. We will have estimated timelines within the next 24 hours. If building it will take too long, we will do a manual process." "Everyone will be compensated as fairly and fully as possible. We’re still here and more resilient than ever. One man can not take us down, this community is strong. We will persist and grow stronger than ever."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Axion Staking Inside Job
Date	Event	Description
November 2nd, 2020 12:00:00 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

This is another example which demonstrates just how challenging detecting problems in a smart contract is.

Decentralized finance is a brand new area, and smart contracts are effectively hot wallets. They are not, in any way guaranteed in their security, even if audited.

The proper storage of funds should be in a multi-signature wallet with offline storage.