Atomic Loans Close Call

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Atomic Loans

Atomic Loans created a service where, rather than provide your funds to a central custodian, they could instead be provided to a hot wallet smart contract. Rather than trusting a human being, you would trust arbitrary open source code.

Despite two separate security audits, the code still had vulnerabilities. Luckily, those vulnerabilities were found by a security researcher instead of being exploited by a hacker.

This exchange or platform is based in Canada, or the incident targeted people primarily in Canada.[1][2][3][4][5][6][7][8][9]

About Atomic Loans

"Toronto-based" "Atomic Loans aims to bring decentralized finance to the bitcoin market." "Non-custodial Bitcoin-backed loans. Giving custody is not okay. Do it the Bitcoin way." "Access liquidity to pay bills and expenses for yourself and your business." "We understand how it feels to send your Bitcoin to some custodian and hope for the best. With AtomicLoans, your Bitcoin is locked via native Bitcoin scripts." "There’s no application needed to start using Bitcoin, no business hours that Bitcoin adheres to." "Get access to a Bitcoin-backed loan at any time, from anywhere, in a matter of minutes." "Atomic Loans’ decentralized platform allows borrowers and lenders to engage in peer-to-peer bitcoin-backed loans, without the need for centralized custodians."

“Bitcoin is a currency where much of its value is derived from being open, transparent, borderless, and censorship-resistant. It runs 24/7 and you never need someone’s permission to use it,” said Tony Cai, co-founder and CEO of Atomic Loans. “We want to help build a future where financial tools for bitcoin can share every single one of those characteristics as well.”

"Security is the highest priority of the Atomic Loans team." "The protocol’s contract code and balances are publicly verifiable." "Our Bitcoin scripts and Ethereum smart contracts have been reviewed and audited by Quantstamp and ConsenSys Diligence."

"The [first ConsenSys Diligence] audit team evaluated that the system is secure, resilient, and working according to its specifications." "ConsenSys Diligence [then] conducted a second security audit on the Atomic Loans smart contract system." "The audit team evaluated that the system is secure, resilient, and working according to its specifications." A "smart contract audit was [also] prepared by Quantstamp, the protocol for securing smart contracts." "Quantstamp has assessed the Atomic Loans smart contracts and Bitcoin scripts, and consider them to be well-architected and adherent to the provided specification. No critical security issues were detected during this audit, however we provide several suggestions for code improvements based on issues found during the audit."

"The Site and the Services are provided on an “as is” and “as available” basis. Use of the Site and the Services is at your own risk. To the maximum extent permitted by applicable law, the Site and the Services is provided without warranties of any kind, whether express or implied." "You acknowledge that applications are code that are subject to flaws and acknowledge that you are solely responsible for evaluating any available code provided by the Services. You further expressly acknowledge and represent that applications can be written maliciously or negligently, that we cannot be held liable for your interaction with such applications."

"[T]he Atomic Loans v1 beta was at $255,173 in stablecoin supplied, $90,290 in stablecoin borrowed, and ~23.9 BTC locked (total value locked: $485706). We also reached a total of $202,333 in total loans originated since launch."

"On Sunday, June 21st, security researcher @samczsun privately disclosed two vulnerabilities in the currently deployed contracts and lender agents." "Both vulnerabilities would've allowed a malicious borrower to unlock part/ all of their BTC collateral without repaying their loan in specific circumstances."

"A malicious borrower could’ve unlocked their BTC collateral without repaying their loan by front-running a loan cancellation transaction from the lender after the lender secret has already been revealed in the mempool." "Lender funds could have been impacted if the vulnerability had been exploited and the lender is unable to pay a high enough gas fee to ensure the loan cancellation succeeded."

"Although we had two audits done on the smart contracts, as well as an internal audit done by the team, it showed us it is still possible for these types of issues to slip through the cracks."

"Atomic Loans, issued a decision on vulnerability disclosure and suspension of new loan requests." "On Monday, June 23rd, we pushed an update to lender agents, effectively disallowing new loan requests."

"This vulnerability could be easily fixed by adding a withdrawExpiration to the withdraw function in the Loans contract." "We have notified the issues to both our previous auditors, ConsenSys Dilligence and Quantstamp for additional feedback. We want to do our part in helping the auditing community understand how we can better identify these types of vulnerabilities in cross-chain systems moving forward."

"Up to now, neither of these vulnerabilities were exploited by any users, and there were no funds impacted on the platform. Additionally the platform has disabled the ability for any borrower or lender to participate in new loans until they launch v2." "Additionally, ahead of V2 launch, we are planning on organizing a white-hat hacker event, in addition to multiple audits and implementing a bug bounty program."

This exchange or platform is based in Canada, or the incident targeted people primarily in Canada.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Atomic Loans Close Call
Date Event Description
June 24th, 2020 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

While it's a valid concern to avoid placing funds in the control of a single human being, historically, there hasn't been a documented exit scam involving a known group of people and funds which were fully backed.

An alternative and greater form of security would include a multi-sig with at least one trusted human component.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  2. Non-Custodial Bitcoin-backed loans | Atomic Loans (Jul 26, 2021)
  3. Security · AtomicLoans/atomicloans-rfc Wiki · GitHub (Jul 26, 2021)
  4. GitHub - ConsenSys/atomic-loans-audit-report-2019-07: Atomic Loans audit report (Jul 26, 2021)
  5. Atomic Loans | ConsenSys Diligence (Jul 26, 2021)
  6. Bringing Bitcoin to DeFi (Jul 26, 2021)
  7. Atomic Loans Terms of Service (Jul 26, 2021)
  8. Vulnerability Disclosure and Decision to Pause New Loan Requests (Jul 26, 2021)
  9. Atomic Loans - Crunchbase Company Profile & Funding (Jul 26, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Atomic_Loans_Close_Call&oldid=3775"