Aark Digital Incorrect Balance Update Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Aark Digital Logo/Homepage

Aark Digital is a decentralized exchange which allows users to gain extra rewards and staking benefits. On October 25th, 2024, the platform experience an exploit due to an incorrect balance update in a transfer function, which caused a large loss. Aark Digital has been working to recover the funds over time with the community.[1][2][3][4][5][6][7][8]

About Aark Digital

"Leverage-Everything Perpetual DEX. Safe and Easy, Powered by Blockchain. Start Trading"

"Launched in June 2024. AARK grants holders governance rights and staking benefits including rewards, fee discounts, and Multiplier Points."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"During a routine GM token burn, Aark Digital encountered a callback error due to a third-party contract modification"

Key Event Timeline - Aark Digital Incorrect Balance Update Exploit
Date Event Description
October 25th, 2024 Event Occurred The conversion issue resulted in the large loss.

Technical Details

"During a routine GM token burn, Aark Digital encountered a callback error due to a third-party contract modification. To resolve this, Aark Digital initiated a contract upgrade and GM delisting to adjust affected user balances. Users holding GM were required to convert GM to USDC. Aark Digital ran a script to process these conversions, receiving inputs like target user, amount, token address, and decimals from event data. While executing, a single user’s USD Value shifted erroneously from 0.498942 to 498,942 * (10 ^ 12), due to an incorrect balance update (not from a deployed contract error). Exploiting this security vulnerability, the attacker caused Aark Digital a loss of 1,499,841 USDC and 159.09 ETH."

Total Amount Lost

"Initially, we reported a total loss of 1,386,085.5 USDC and 24.143 ETH due to the exploit. However, further investigation has revealed that the actual amount stolen was higher, totaling 1,499,841 USDC and 159.09 ETH. This revised amount provides us with a more accurate scope of the breach, which is essential for our recovery strategy."

The total amount lost has been estimated at $1,900,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

"The stolen funds represent approximately 67% of the total deposits, including collateral for Futures and LPs. Given the scale of the impact, we are currently able to refund 33% of the original deposit amount to affected users."

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Incident of October 25th (Accessed Nov 21, 2024)
  2. Aark Digital offers 15% bounty to hacker responsible for $1.5M attack on vaults (Accessed Nov 21, 2024)
  3. https://www.crowdfundinsider.com/2024/10/231673-security-breach-prompts-aark-digital-to-issue-225k-bounty/ (Accessed Nov 21, 2024)
  4. @Aark_Digital Twitter (Accessed Nov 21, 2024)
  5. @Aark_Digital Twitter (Accessed Nov 21, 2024)
  6. @Aark_Digital Twitter (Accessed Nov 21, 2024)
  7. @Aark_Digital Twitter (Accessed Nov 21, 2024)
  8. @Aark_Digital Twitter (Accessed Nov 21, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Aark_Digital_Incorrect_Balance_Update_Exploit&oldid=6365"