Ascendex Hot Wallet Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ascendex

Singapore-based BitMax, now renamed AscendEx, suffered a security breach which occurred when an unauthorized actor was able to gain an unauthorized bypass into their hot wallets by exploiting a hardware vulnerability. The total funds taken were estimated at $77.7m, and varied across a wide range of currencies. The majority of funds on the platform remain safe as they were in cold storage, and the exchange has vowed to cover all user balances.

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28]

About Ascendex

"AscendEX, launched under the name “BitMax” in July 2018, offers exchange, custody, and staking services to over one million retail and institutional clients globally." "Buy and sell BTC, ETH, LTC, DOGE, and other altcoins." "Trade over 100 cryptocurrencies including BTC, ETH, LTC, DOGE, Altcoins, Stablecoins and Platform Tokens." "AscendEX is a leading global digital asset financial platform founded by a group of Wall Street quantitative trading veterans in 2018." "AscendEX has a total of 253 tokens listed and provides innovative product offerings, including: ASD Investment Multiple Cards, Airdrop Multiple Cards, Staking Services, and more." "The Singapore-based cryptocurrency exchange AscendEX [was] formerly known as BitMax until March 2021."

"SINGAPORE--(BUSINESS WIRE)--AscendEX, a global cryptocurrency financial platform, has announced the close of a $50 million Series B raise led by Polychain Capital and Hack VC, with participation from Jump Capital and Alameda Research, as well as Uncorrelated Ventures, Eterna Capital, Acheron Trading, Nothing Research, and Palm Drive Capital. Imperii Partners served as an exclusive financial advisor to AscendEX in support of the Series B fundraise process."

“We are grateful to have very prominent investors involved in our latest fundraising round,” said George Cao, CEO and Co-founder of AscendEX. “Polychain Capital and Hack VC, as active catalysts of the DeFi ecosystem, have backed some of the industry’s most innovative blockchain networks, exchanges, and trading institutions. Similarly, Alameda Research, founded by Sam Bankman-Fried, has emerged as one of the most prolific investors in the industry, fueling growth within both CeFi and DeFi. Participation from Jump Capital, a seasoned Crypto and Fintech investor, further showcases the success of our deep roots in traditional finance, as AscendEX’s core team is proud of our extensive experience in Wall Street quant trading.”

"2021 has been another year of accelerated growth for all of us at AscendEX! The year began with a major milestone -- AscendEX’s native token ASD (previously BTMX) ranked as one of the “top 100” cryptocurrencies, which was a remarkable testament to our growth and the contributions from market participants, global users, and the greater blockchain industry. Throughout the year, the AscendEX team has accelerated our tradition of continuous product innovation and client-first strategies by further enhancing our platform’s core functionalities, expanding our global communities, and driving brand awareness. As the market matures with broader adoption underway, AscendEX continues to rise through consistency and excellence in performance and delivery in the ever-evolving digital asset industry."

The Reality

Hot wallets of cryptocurrency exchanges have been a highly lucrative target for hackers as long as they have existed.

What Happened

"On December 11th, an individual or number of criminal actors gained unauthorized passthrough access to AscendEX’s hot wallet infrastructure and initiated a number of transfers on the Ethereum, Polygon, Binance Smart Chain, Litecoin, and Bitcoin Cash networks."


The crypto trading platform AscendEX, previously known as BitMax, was hacked for an estimated $78 million worth of digital assets. The exchange plans to fully reimburse all affected users and stated that the compromised assets represent a relatively small percentage of the total exchange assets. The stolen assets include stablecoins like USDT and USDC, as well as other tokens like taraxa (TARA), shiba inu (SHIB), AAVE, and compound (COMP). AscendEX has frozen deposit and withdrawal services but aims to restore them in the coming days after a thorough security review.[29]

Key Event Timeline - Ascendex Hot Wallet Hack
Date Event Description
December 11th, 2021 3:00:00 PM MST Internal Security Audit Detection "At around 22:00 UTC on Dec 11, 2021, AscendEX’s internal security audit report identified that a number of ERC-20, BSC, and Polygon tokens were transferred out of the exchange’s hot wallets."
December 13th, 2021 1:56:00 AM MST CryptoNews Article Published CryptoNews reports that AscendEX was hacked for an estimated $78 million worth of digital assets. The exchange plans to fully reimburse all affected users and stated that the compromised assets represent a relatively small percentage of the total exchange assets. The stolen assets include stablecoins like USDT and USDC, as well as other tokens like taraxa (TARA), shiba inu (SHIB), AAVE, and compound (COMP). AscendEX has frozen deposit and withdrawal services but aims to restore them in the coming days after a thorough security review.[29]

Technical Details

[30][31]

"At around 22:00 UTC on Dec 11, 2021, AscendEX’s internal security audit report identified that a number of ERC-20, BSC, and Polygon tokens were transferred out of the exchange’s hot wallets."

"Of the stolen tokens, the relatively unknown Taraxa (TARA) accounted for the highest figure at $10.8 million. TARA is the native token of the Taraxa network, which claims to be purpose-built for audit logging of informal transactions." "Other impacted tokens include Tether (USDT) with a loss of $5.7 million, USD Coin (USDC) at $5 million, Shiba Inu worth $145,000 and Polygon MATIC valued at $691,000." "An in-depth security audit identified the breach as the result of an exploit of hardware-level vulnerability from third-party infrastructure utilized by AscendEX. The infiltration was carried out by highly sophisticated perpetrators."

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

"Of the stolen tokens, the relatively unknown Taraxa (TARA) accounted for the highest figure at $10.8 million. TARA is the native token of the Taraxa network, which claims to be purpose-built for audit logging of informal transactions." "Other impacted tokens include Tether (USDT) with a loss of $5.7 million, USD Coin (USDC) at $5 million, Shiba Inu worth $145,000 and Polygon MATIC valued at $691,000." "An in-depth security audit identified the breach as the result of an exploit of hardware-level vulnerability from third-party infrastructure utilized by AscendEX. The infiltration was carried out by highly sophisticated perpetrators."

The total amount lost has been estimated at $77,700,000 USD.

Immediate Reactions

"At around 22:00 UTC on Dec 11, 2021, AscendEX’s internal security audit report identified that a number of ERC-20, BSC, and Polygon tokens were transferred out of the exchange’s hot wallets."

"22:00 UTC 12/11, We have detected a number of ERC-20, BSC, and Polygon tokens transferred from our hot wallet. Cold Wallet is NOT affected. Investigation underway. If any user’s funds are affected by the incident, they will be covered completely by AscendEX." "These assets constituted a relatively small percentage of total exchange holdings. AscendEX cold wallets are unaffected by this incident."

"We have confirmed movement of the funds across ERC-20, Polygon, BSC, and xDAI wallets." "Shortly after these unauthorized transactions occurred, our internal monitoring systems detected an anomaly and initiated emergency security protocols." "We immediately initiated our security protocols and have implemented a number of concrete actions to mitigate the impact to our community and resolve this in earnest." "Out of the lot, around $60 million worth of tokens were transferred over the Ethereum blockchain alone. Tokens stolen from BSC and Polygon are worth $9.2 million and $8.5 million, respectively."

"We have temporarily halted all deposits and withdrawals from the platform and are working diligently to restore this service gradually after it is completely safe and secure to do so. Following a thorough security review, we will reopen the platform and allow all users to transfer assets. Trading remains active and has not been halted." "Trading, staking, and yield farming services remain active and has not been halted."

"[W]e want to reinforce our commitment to providing a secure and trusted environment for our users and resolving this situation quickly and efficiently." "We are in the process of standing up a new hot wallet infrastructure and estimate deposits and withdrawals to resume in the next 36 – 48 hours. Trading, staking, and yield farming services have not been impacted by this security incident and remain active. We plan to resume withdrawals gradually, beginning with Ethereum. Any user that wishes to withdraw their assets will be permitted to do so in an uninterrupted capacity once withdrawals reopen for the particular coin or token."

"AscendEX will release a comprehensive security post-mortem report in the coming days to provide transparency on the root cause of the incident as well as the actions we have taken to mitigate future risks."

Ultimate Outcome

AscendEx claimed to have identified the wallets to be with Binance, Bitfinex, and OKEx. They reportedly planned to cover all losses for attected users.


"In its post-mortem, the Singaporean exchange claimed to have identified the perpetrators’ wallets to be with Binance, Bitfinex, and OKEx."

"Doing right by our customers is our obligation. Any impacted customers will be 100% reimbursed for their losses. Especially in the cryptocurrency industry, where community is the driving force of innovation, it is important for AscendEX to always remain true to our users," the company said.

"AscendEX will fully reimburse all affected customers. Unimpacted assets have been transferred to our cold wallet for security as we continue to investigate." "We are working with all impacted projects to mitigate any potential damage to their communities and have encouraged impacted projects to freeze transfers, as contracts allow. Many projects are exploring the possibility of reissuing tokens to users." "AscendEX is working very closely with token projects and encouraging all heavily impacted projects to pursue token swaps to ensure network integrity and limit the impact to their community. Bemil Coin and Zignaly are two examples of heavily impacted projects that have exercised a token swap. AscendEX is supportive of this recourse as a way to protect the integrity of the projects’ networks."

"AscendEX continues to work in close collaboration with token projects to protect not only our community, but theirs, as well. We are supporting engineering costs for projects that perform token swaps, and many of the heavily impacted projects have already begun these swaps to ensure network integrity. Bemil Coin and Zignaly have been the first to exercise token swaps and have saved their communities more than $8M worth of tokens as a result." "Of the projects that were impacted by the attack, five have conducted a smart contract migration. These projects are Zignaly, Bemil Coin, Gather, BTC Proxy, and Aubit. As a result of the swift action taken by these projects, over $10 million in assets were recovered."

"We have deployed a completely new hot wallet infrastructure, meaning no single aspect of our legacy technology or hardware was reused." "The new infrastructure not only addresses the root cause of the issue, but it exhausts many additional redundant security measures and fail-safes to ensure a breach is probabilistically unfeasible using Defense in Depth (“DiD”) techniques." "Accordingly, each account has been assigned NEW deposit addresses for each network. Deposits must be made to newly assigned addresses in order to be credited."

"Deposit and withdrawals services will begin with Ethereum and we will gradually resume services for other assets to ensure a smooth reopening of the platform. Any user that wishes to withdraw their assets will be permitted to do so once withdrawals reopen for the particular coin or token. As a reminder, trading, staking, and yield farming services have not been impacted by this security incident and remain active." "We’re happy to announce that deposits and withdrawals will be opened at approximately 3:00 UTC, December 16th."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

"AscendEX has been working closely with law enforcement and cybersecurity institutions including Ledger and Chainalysis to reinforce process controls, infrastructure security, compliance, and account-level security leveraging industry-leading security controls." "We are working with law enforcement and collaborating with leading blockchain forensic firms to track and monitor the transferred assets. We have also communicated with other exchanges to blacklist the wallets associated with the incident."

"As always, we are grateful for your continued support. As the investigation continues, we will remain in regular communication with our users, projects, and other key members of the community to resolve this situation and ensure timely, equitable solutions for any impacted users."

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual. Ascendex fully covered all funds.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

While the most secure storage by far is a multi-signature wallet with all keys properly held by trained individuals, security of hot wallets can be improved by having additional experts review the security of systems. Independent reviews by a variety of experts can give the best chance of uncovering vulnerabilities that exist. Having an industry insurance fund provides a mechanism for selecting and evaluating expert firms to serve as reviewers, as well as a fallback in the event a breach occurs.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Further validation of the security policies of platforms can lead to greater security by uncovering vulnerabilities in the system. Having independent reviews by a variety of experts can give the best chance of uncovering vulnerabilities that exist. Having an industry insurance fund provides a mechanism for selecting and evaluating expert firms to serve as reviewers, as well as a fallback in the event a breach occurs.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Ascendex Hacked — Exchange Loses $77 Million in ERC20, BSC, Polygon Tokens – Bitcoin News (Dec 12, 2021)
  2. AscendEX: Cryptocurrency Trading Platform | Bitcoin & Crypto Exchange (Dec 24, 2021)
  3. AscendEX will list CryptoArt this afternoon - CoinCu News (Dec 25, 2021)
  4. Hackers stole a number of tokens from the AscendEX exchange hot wallet, the loss was estimated at $ 77.7 million - CoinCu News (Dec 25, 2021)
  5. 2021 “Three Years Later… A Celebration of Success and the Best is Yet to Come” A Letter to the AscendEX Global Community | Help Center | AscendEX (Dec 25, 2021)
  6. AscendEX loses $80M following ERC-20, BSC, Polygon hot wallet compromise (Dec 25, 2021)
  7. Login • Instagram (Dec 25, 2021)
  8. @peckshield Twitter (Dec 25, 2021)
  9. Security Incident Update: Deposits & Withdrawals to Resume within 36-48 hours (est) | Help Center | AscendEX (Dec 25, 2021)
  10. Important Notice | Help Center | AscendEX (Dec 25, 2021)
  11. The Deposit and Withdrawal of More Assets Resumed on AscendEX | Help Center | AscendEX (Dec 25, 2021)
  12. AscendEX Temporary Suspension Deposit & Withdrawal | Help Center | AscendEX (Dec 25, 2021)
  13. Dec. 11 Security Incident | Help Center | AscendEX (Dec 25, 2021)
  14. Dec. 11 Security Incident - Follow-Up Announcement | Help Center | AscendEX (Dec 25, 2021)
  15. Dec. 11 Security Incident - Timing for Resuming Deposit and Withdrawal Services | Help Center | AscendEX (Dec 25, 2021)
  16. Dec. 11 Security Incident Report | Help Center | AscendEX (Dec 25, 2021)
  17. @AscendEX_Global Twitter (Dec 25, 2021)
  18. Weekly Roundup Dec 4 Dec 10 2021 (Dec 25, 2021)
  19. AscendEX suspends crypto withdrawals as hack wipes out $77.7 million worth of Ethereum, Polygon and other tokens | Business Insider India (Dec 25, 2021)
  20. https://www.businesswire.com/news/home/20211103006190/en/AscendEX-Announces-a-50mm-Series-B-Raise-Led-by-Polychain-Capital-and-Hack-VC (Dec 25, 2021)
  21. AscendEx exchange loses $77M in hack, promises full compensation - CoinGeek (Dec 25, 2021)
  22. Crypto Exchange AscendEX (Formerly Bitmax) Hacked: $80 Million Allegedly Stolen (Dec 25, 2021)
  23. AscendEX Exchange Loses $77.7M in Latest Crypto Hack - Crypto Briefing (Dec 25, 2021)
  24. After theft of $77.7 million, victim AscendEX to reimburse customers | ZDNet (Dec 25, 2021)
  25. @AscendEX_Global Twitter (Dec 25, 2021)
  26. Crypto exchange AscendEX hacked for $78 million in latest swindle (Dec 25, 2021)
  27. Crypto Exchange AscendEX Hacked, Losses Estimated at $77M (Dec 25, 2021)
  28. Santa Hackathon? Visor Finance Marks 7th Hack in December (Dec 1, 2022)
  29. 29.0 29.1 Hacked AscendEX to Reimburse Users, Says 'Relatively Small Percentage' Impacted - CryptoNews (Dec 1, 2022)
  30. https://twitter.com/AscendEX_/status/1470029527300595713 (Sep 7, 2023)
  31. https://twitter.com/peckshield/status/1469915194004766722 (Sep 7, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ascendex_Hot_Wallet_Hack&oldid=4998"