AnySwap ECDSA Exploit
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Rather than use a multi-sig, AnySwap funds were locked in a complex MPC (multi-party computation) protocol. In an MPC there is only one private key, which multiple parties have partial information for. The MPC protocol counts on uniquely generated "R" values, and having repeated "R" values allows an attacker to deduce the private key. AnySwap plans to compensate all affected users.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]
About Anyswap
"Anyswap is a fully decentralized cross chain swap protocol, based on Fusion DCRM technology, with automated pricing and liquidity system. Anyswap is a decentralized application running on the Fusion, Binance Smart Chain, Ethereum and Fantom blockchains. The first application from Anyswap is a DEX (Decentralized Exchange), which is called anyswap.exchange."
"Anyswap protocol allows users to immediately swap from one coin to another with a click of a button. It can be considered as a decentralized exchange, however, it doesn’t have an order book. Therefore, users can swap and immediately get coins at the price of the currency they are swapping to, without going through the hassle of creating orders and waiting for them to be filled."
"Anyswap uses Anyswap Working Nodes (AWN) to ensure the decentralization of Anyswap. These nodes will be elected by the holders of ANY token, and will be responsible for funds custody. Therefore, Anyswap company will have no control over users’ funds." "Anyswap uses Fusion’s DCRM technology as a cross-chain solution. Anyswap users can deposit any coin to the protocol, mint wrapped tokens in a fully decentralized way and swap assets from different blockchains." "Liquidity providers can add or withdraw liquidity into swap pairs. Prices will be automated according to the liquidity provided."
"The new Anyswap multichain prototype V3 router was exploited early on July 10, 2021." "AnySwap lost $7.8M worth of crypto funds as a result of ECDSA signature derivation exploit." "The attack occurred on Anyswap V3 liquidity pool on July 10, 2021, at 8:00 PM UTC."
"Two v3 router transactions were detected under the V3 Router MPC account on BSC, these two transactions have the same R value signature. And hacker deduced the private key to this MPC account in reverse. Anyswap team reproduced this attack method." "Anyswap multichain V3 router was exploited and result in 7.5M$ worth of assets lost. The attacker deduced the private key to the Anyswap V3 Router MPC account based on two transactions that have the same R value signature."
"The root of the exploit lay in the prototype V3 Router’s use of ECDSA, the algorithm securing its MPC wallet by generating private keys."
"The key here is that every k value calculated in the algorithm should be based on a different, random number for each signature. If two or more transactions contain a repeated k value, then the private key can be back-calculated."
"This potential security flaw has been known since 2010, when console hacking group fail0verflow detailed the process here (p123-129). And its application to blockchain keys was later detailed in 2013."
"Despite this, Anyswap’s post-mortem states that the attacker detected a repeated k value in two of the V3 Router’s transactions on BSC, and was able to back-calculate the private key."
"The bridges are burning. Anyswap and Chainswap in 24 hours. They say it's fixed, but can you trust them?"
"[O]nly the new V3 cross-chain liquidity pools have been affected." "An exploit was detected in the new anyswap v3 prototype, all bridge funds used in v1/v2 are safe. Remedial action already in place for all exploited funds." "All v1/v2 bridge transactions have been audited, they don’t have the same R transactions. Bridges are safe."
Losses were "2,398,496.02 USDC and 5,509,222.73 MIM in total." "Anyswap has already put remedial actions in place to provide full compensation. Anyswap will compensate. Thus, liquidity providers will be able to withdraw their assets from the pool once again when the liquidity is refilled by Anyswap pending the 48-hour timelock."
"To facilitate future security, Anyswap will reward anyone who reports bugs to us. This will help us build truly secure and even better cross-chain solutions."
"Although action was taken relatively quickly to prevent another attack, @nicksdjohnson is of the opinion that the patch does not do enough."
"Setting aside the fact that there's a much better, industry standard solution to this, their patch: Fails catastrophically (exposing users to another hack) if you accidentally delete a file, or restore from an old backup, or move to a new server."
"And it requires every signature request to scan every previous one, but really that's the smallest problem here."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 10th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $7,800,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
One of the key requirements of an effective multi-sig is simplicity. When additional complexity is added, the opportunity for exploits increases dramatically, and it is no longer possible to evaluate the security setup.
AnySwap plans to compensate affected users, so there are not anticipated to be losses in this case.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ No Title (Jul 24, 2021)
- ↑ Anyswap Multichain Router V3 Exploit Statement (Jul 24, 2021)
- ↑ @cmichelio Twitter (Jul 24, 2021)
- ↑ Rekt - Anyswap - REKT (Jul 30, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ Can derive the private key? Anyswap cross-chain bridge is analyzed | by Knownsec Blockchain Lab | Medium (Aug 11, 2021)
- ↑ CertiK Blockchain Security Leaderboard (Jun 1, 2021)
- ↑ AnySwap - Cross Chain DEX (Aug 22, 2021)
- ↑ Anyswap DEX User Guide — Anyswap 1.0.0 documentation (Aug 22, 2021)
- ↑ A Comprehensive Review Of The Cross-Chain DEX Anyswap (Aug 22, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 28, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 28, 2021)
- ↑ Binance Transaction Hash (Txhash) Details | BscScan (Aug 28, 2021)
- ↑ Fantom Transaction Hash (Txhash) Details | FtmScan (Aug 28, 2021)
- ↑ Address 0x0aE1554860E51844B61AE20823eF1268C3949f7C | Etherscan (Aug 28, 2021)
- ↑ @tayvano_ Twitter (Aug 28, 2021)
- ↑ Recovering Bitcoin private keys using weak signatures from the blockchain / Nils Schneider (Aug 28, 2021)
- ↑ @nicksdjohnson Twitter (Aug 28, 2021)
- ↑ @MultichainOrg Twitter (May 7, 2022)
- ↑ Anyswap got hacked (May 7, 2022)
- ↑ Anyswap Multichain Router V3 Exploit Statement (May 7, 2022)
- ↑ Rekt - Anyswap - REKT (May 7, 2022)
- ↑ Random Numbers Don’t Lie: A Closer Technical Look into Recent DeFi Hacks (May 7, 2022)
- ↑ How Hackers Can Exploit Weak ECDSA Signatures (May 7, 2022)