Dego Finance Key Compromised
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Dego Finance offers a foundation for NFT projects to acquire users, distribute tokens, and auction or trade NFTs. It was a relatively unknown project when they fell under attack, apparently due to compromised keys. The entire liquidity pool was drained and funds were successfully mixed through TornadoCash. While the project initially stated intention to reimburse affected users, thus far their communication has been cryptic and no plan has come forth.
This is a global/international case not involving a specific country. [1][2][3][4]
About Dego Finance
"DEGO Finance is an NFT+DeFi protocol and infrastructure with two functions: The project acts as an independent and open NFT ecosystem drawing users to the blockchain space. The NFT Suite offers services covering the full NFT lifecycle, enabling anyone to issue NFTs, participate in auctions, and trade NFTs."
"DEGO Finance is also building an NFT protocol to provide a cross-chain Layer 2 infrastructure. By building on multiple blockchains such as Binance Smart Chain, Ethereum, and Polkadot, DEGO Finance enables blockchain projects to acquire users, distribute tokens and develop more diverse NFT applications." "Recently, DEGO has embarked on a new journey on GameFi and will input more on R&D of Blockchain Games, Tokenisation of Game Assets, Asset Lending, and more."
"For the uninitiated, Dego Finance saw the light of day in 2020 and offered both DeFi and NFT tools. It claimed to be an open-NFT ecosystem that allowed users to mint non-fungible tokens initiate NFT mining in addition to auctions and trading."
"It also offers a cross-chain infrastructure to facilitate blockchain ventures to ramp up the user base, distribute tokens, as well as develop more diverse NFT-based apps. In March 2021, Binance announced listing the project in the Innovation Zone."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"At 3 AM UTC 10th/Feb/2022, we detected abnormal change of DEGO price on DEX and centralised exchange too." "$10M taken from Dego Finance and their partner Cocos-BCX."
| Date | Event | Description |
|---|---|---|
| February 9th, 2022 9:40:00 PM MST | Close of Deposits | DEGO Finance announces the exploit and they've closed deposits on major exchanges[9]. |
| February 9th, 2022 11:25:00 PM MST | PeckShield Alert Tweet | PeckShield posts a tweet with the location of the stolen funds[10]. |
| February 10th, 2022 1:31:00 AM MST | Tweet About Incident | Dego Finance post that "Today is a sad day. We are investigating the cause and trying to recover the loss."[11]. |
| February 10th, 2022 3:35:21 AM MST | CryptoPotato Article Published | CryptoPotato reports that Dego Finance, a cross-chain DeFi and NFT tool, was hacked on February 10, resulting in the loss of over $10 million. The protocol collaborated with major exchanges like Binance, Kucoin, and Gate.io to halt deposits of its native token, DEGO, and urged other platforms to do the same. The hack affected Dego Finance's own liquidity address on Uniswap and PancakeSwap, leading to the draining of DEGO pairs liquidity. The company requested the hackers to come forward and communicate while seeking assistance from security teams. Peckshield, a blockchain security company, reported that the exploiters withdrew funds from 13 addresses belonging to Binance Smart Chain, Ethereum, and Cronos. Following the hack, DEGO token experienced a significant drop of nearly 20% in value. Dego Finance offers DeFi and NFT tools, including NFT mining, auctions, and trading. Rug pulls and hacks have been a persistent issue in the DeFi space, with 2021 seeing a significant rise in such incidents[12]. |
| February 22nd, 2022 1:04:00 AM MST | Existential Questions | Dego Finance is back to posting about existential questions[13]. |
Technical Details
PeckShield Technical Analysis
The exploiters withdrew more than $10 million from @dego_finance & @CocosBCX! The illegal assets are currently here ETH&BSC
Funds are at 0x118203b0f2a3ef9e749d871c8fef5e5e55ef5c91. A list of drained wallet addresses was also provided.
"At 3 AM UTC 10th/Feb/2022, we detected abnormal change of DEGO price on DEX and centralised exchange too." "$10M taken from Dego Finance and their partner Cocos-BCX."
"The hacker has drained DEGO pairs liquidity provided by the team on UniSwap and Pancake Swap, subsequently stealing 2613.40 BNB, 378.76 ETH and 492,316.41 DEGO tokens." "The hacker also hijacked DEGO’s Minting contract and minted a total of 1,185,164.71 DEGO tokens." "The exploiters withdrew more than $10 million from @dego_finance & @CocosBCX!"
"Attacker’s address (0x118…c91) obtained assets worth more than $2.4 million on BSC, more than $4.9 million on ETH. Even assets on Cronos 196,256.723USDT and 199,401.967USDC were exploited."
"The hacker used Tornado.Cash to mix funds." "The Hacker liquidated 1,288,233.59 DEGO tokens through an instant exchange service (DEGO Price fell by 12.90% from $4.42 — $3.85 by 12 PM UTC 9th/Feb/2022), which operates accounts on centralised exchanges and offers No-KYC service. Some of the proceeds were converted to BTC and XMR." "Dego Finance’s token, DEGO took a severe beating following the hack. It slumped by almost 20% from $4.50 to $3.65 in the wee hours of Thursday morning."
CryptoPotato reports that Dego Finance, a cross-chain DeFi and NFT tool, was hacked on February 10, resulting in the loss of over $10 million. The protocol collaborated with major exchanges like Binance, Kucoin, and Gate.io to halt deposits of its native token, DEGO, and urged other platforms to do the same. The hack affected Dego Finance's own liquidity address on Uniswap and PancakeSwap, leading to the draining of DEGO pairs liquidity. The company requested the hackers to come forward and communicate while seeking assistance from security teams. Peckshield, a blockchain security company, reported that the exploiters withdrew funds from 13 addresses belonging to Binance Smart Chain, Ethereum, and Cronos. Following the hack, DEGO token experienced a significant drop of nearly 20% in value. Dego Finance offers DeFi and NFT tools, including NFT mining, auctions, and trading. Rug pulls and hacks have been a persistent issue in the DeFi space, with 2021 seeing a significant rise in such incidents[12].
Total Amount Lost
The total amount lost has been estimated at $10,000,000 USD.[8]
"At 3 AM UTC 10th/Feb/2022, we detected abnormal change of DEGO price on DEX and centralised exchange too." "$10M taken from Dego Finance and their partner Cocos-BCX."
"The hacker has drained DEGO pairs liquidity provided by the team on UniSwap and Pancake Swap, subsequently stealing 2613.40 BNB, 378.76 ETH and 492,316.41 DEGO tokens." "The hacker also hijacked DEGO’s Minting contract and minted a total of 1,185,164.71 DEGO tokens." "The exploiters withdrew more than $10 million from @dego_finance & @CocosBCX!"
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
Dego Finance Twitter Posts
We've always been there. Today is a sad day. We are investigating the cause and trying to recover the loss.
"At 3 AM UTC 10th/Feb/2022, we detected abnormal change of DEGO price on DEX and centralised exchange too." "$10M taken from Dego Finance and their partner Cocos-BCX."
"The hacker has drained DEGO pairs liquidity provided by the team on UniSwap and Pancake Swap, subsequently stealing 2613.40 BNB, 378.76 ETH and 492,316.41 DEGO tokens." "The hacker also hijacked DEGO’s Minting contract and minted a total of 1,185,164.71 DEGO tokens." "The exploiters withdrew more than $10 million from @dego_finance & @CocosBCX!"
"The team looked into this anomaly and quickly concluded there has been a well-organised hacking event from approx. 11:29 PM UTC 9th/Feb/2022, targeting DEGO team addresses hosting DEGO tokens and DEX liquidity (DEGO/ETH, DEGO/BNB)."
"We have just found out that our address providing liquidity on @UniSwap & @PancakeSwap was hacked hence DEGO pairs liquidity provided by the team was drained. We have already contacted operation team @binance, @kucoincom, @gate_io. They have closed deposit on DEGO."
"Dego have claimed this to be a case of compromised keys." "Dego Finance’s official Twitter handle claimed that its own address providing liquidity on popular decentralized exchanges – Uniswap and PancakeSwap – was compromised. As a result, DEGO pairs liquidity provided by the team was drained."
"We've always been there. Today is a sad day. We are investigating the cause and trying to recover the loss."
"Attacker’s address (0x118…c91) obtained assets worth more than $2.4 million on BSC, more than $4.9 million on ETH. Even assets on Cronos 196,256.723USDT and 199,401.967USDC were exploited."
"The hacker used Tornado.Cash to mix funds." "The Hacker liquidated 1,288,233.59 DEGO tokens through an instant exchange service (DEGO Price fell by 12.90% from $4.42 — $3.85 by 12 PM UTC 9th/Feb/2022), which operates accounts on centralised exchanges and offers No-KYC service. Some of the proceeds were converted to BTC and XMR." "Dego Finance’s token, DEGO took a severe beating following the hack. It slumped by almost 20% from $4.50 to $3.65 in the wee hours of Thursday morning."
Ultimate Outcome
"The team contacted major exchanges in private and made public announcements on Twitter to warn all centralised exchanges. We were lucky to receive a quick response from some exchanges that they have shut down DEGO token deposits temporarily to shield users from potential damage on markets."
"Post the news, different exchanges such as Binance, Kucoin, and Gate.io shut all deposits of its native governance and equity token, DEGO. The protocol urged Uniswap, Poloniex, PancakeSwap, WazirX, etc., to do the same to offset the losses.
"After going through all team addresses, we have rescued a good amount of DEGO tokens and stored them somewhere safe."
"We engaged SlowMist and Certik and PeckShield teams for professional advice and solutions." "We worked with EtherScan team and some of hacker’s addresses has been marked."
"Second, we have also heard a lot of conspiracy theories, and we would like to clarify that the team’s assets suffered the most financial loss in this incident, making us the biggest victim. We have been working hard on solutions and are pursuing help from law enforcement."
"A total of 602,562.35 DEGO tokens are still in the hacker’s possession but cannot be liquidated in major exchanges since the lockdown."
“We’ll keep all stakeholders updated on the latest developments, as well as talk to reputable security teams on how to identify the hacker and retrieve loss. We would ask the hacker to come forward and communicate.”
"After the incident, we are happy to receive people's caring messages and helping hands. We'll keep all of you updated on the latest developments while working on a solution for remedy."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
And posting interesting quotes: "Do you believe that there's an alternative self in parallel time&space? If each parallel world is a light, how many lights do you think are still on? Does the external world still exist? From an idealist view, when our consciousness disappears, the world will disappear."
"Despite their poor security decisions, the DEGO price chart shows a steady recovery, perhaps due to their large following on Twitter (~194K) and other medias."
"Since the attack, Cocos-BCX have switched ownership to a multi-sig."
Individual Prevention Policies
The Dego Finance team failed to protect their smart contract against attack. The control over the protocol was in the hands of a single key, and that key was able to be compromised due to the limited experience and/or poor practices of the operator. These vulnerabilities can be uncovered through third party validation.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The problem appears to have come about because there was only one key, and that key was compromised.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
In the event that a platform is still breached, an industry insurance fund can ensure that users are taken care of.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
The Dego Finance team failed to protect their smart contract against attack. The control over the protocol was in the hands of a single key, and that key was able to be compromised due to the limited experience and/or poor practices of the operator. These vulnerabilities can be uncovered through third party validation.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
In the event that a platform is still breached, an industry insurance fund can ensure that users are taken care of.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Dego Finance - REKT (Feb 18, 2022)
- ↑ DeFi hack: DEGO Finance loses over $10M, urges exchanges to stop all deposits - AMBCrypto (Feb 22, 2022)
- ↑ To Dego Community Summary Of The Event After A Thorough Investigation And Efforts (Feb 22, 2022)
- ↑ Breaking: Binance Listed DeFi Protocol DEGO Finance Hacked (Feb 22, 2022)
- ↑ https://dego.finance/home (Feb 21, 2022)
- ↑ What is dego.finance - dego.finance (Feb 22, 2022)
- ↑ Morioh (Feb 22, 2022)
- ↑ 8.0 8.1 https://coinmarketcap.com/currencies/dego-finance/ (Feb 22, 2022)
- ↑ 9.0 9.1 Dego Finance - "Dear users, We have just found out that our address providing liquidity on @UniSwap & @PancakeSwap was hacked hence DEGO pairs liquidity provided by the team was drained. We have already contacted operation team @binance, @kucoincom, @gate_io. They have closed deposit on DEGO." - Twitter (Feb 22, 2022)
- ↑ 10.0 10.1 PeckShieldAlert - "The exploiters withdrew more than $10 million from @dego_finance & @CocosBCX ! The illegal assets are currently here ETH&BSC" - Twitter (Feb 22, 2022)
- ↑ 11.0 11.1 Dego Finance - "We've always been there. Today is a sad day. We are investigating the cause and trying to recover the loss." - Twitter (Feb 22, 2022)
- ↑ 12.0 12.1 DeFi Project Dego Finance Hacked: Exploiters Reportedly Drain Over $10M - CryptoPotato (Feb 22, 2022)
- ↑ Dego Finance - "Do you believe that there's an alternative self in parallel time&space? If each parallel world is a light, how many lights do you think are still on? Does the external world still exist? From an idealist view, when our consciousness disappears, the world will disappear." - Twitter (Feb 22, 2022)