Titano Finance Evil Contractors
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Titano is a project which offers an automatic staking protocol, meaning that tokens are automatically staked without the user having to take any action. They used a custom smart contract hot wallet, which was developed by a third party. A backdoor was left in the contract during the deployment, which allowed the third party contractor to later mint unlimited tokens. They exercised this ability. The Titano project was ultimately able to tie them to real world identities through blockchain analysis, at which point the funds were completely returned. A $10k bounty was issued for information that assisted in the recovery.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]
About Titano Finance
"Titano Finance is transforming DeFi with the Titano Autostaking Protocol (TAP) that delivers the industry’s highest fixed APY, rebasing rewards every 30 minutes, and a simple buy-hold-earn system that grows your portfolio in your wallet, fast."
"The Best Auto-Staking & Auto-Compounding Protocol in Crypto. Highest Fixed APY – 102,483%. First Automatic Staking and Compounding in Your Wallet! Get Rewards Every 30 Minutes / 48 Times Daily!"
"Titano itself is original code and is extremely secure against external and even internal exploits. In fact, the code behind Titano is far more secure than most other contracts out there." "The code used to create Titano PLAY, however, was based on pre-existing code that had been employed successfully in other projects for years. Since the code was preexisting and already working, we hired and contracted a developer to assist with implementing it into Titano. This contractor had been recommended to us and was fully public on a well known freelancing website. We had no reason to not trust him and our working relationship was smooth and effective."
"The code used to create Titano PLAY, however, was based on pre-existing code that had been employed successfully in other projects for years. Since the code was preexisting and already working, we hired and contracted a developer to assist with implementing it into Titano. This contractor had been recommended to us and was fully public on a well known freelancing website. We had no reason to not trust him and our working relationship was smooth and effective."
"To prepare and deploy the PLAY contract, the Titano Finance team relied on a contractor who had experience with working with this third-party code on other projects. The contractor was responsible for deploying the smart contract to BSC and then transferred ownership to the Titano Finance team."
"Titano is in the onboarding process of Certik." "A preliminary report has been shared with the project team for their review. Once the review is complete, our security experts will work with the team to remediate the findings."
On February 13th, Titano Finance was "incredibly excited to announce that today we hit a magnificent milestone for Titano Finance. Today, we surpassed a $100m market cap and we now have over 40k Titano holders."
"Over the past month of its operation, we have seen no vulnerabilities and as you who have participated have seen, it has performed perfectly in a real world situation with thousands of active users."
The Reality
Contractors Left A Back Door
Contractors who performed the deployment of the Titano Finance smart contract retained access to the deployer address, while switching the ownership address to the Titano Finance team. The deployer address was left with the ability to update the PrizeStrategy in the smart contract, which could be used to steal funds.
According to the official Titano Finance investigation, “The problem arose when we trusted a contractor to deploy the PLAY contract. Although ownership was transferred back to us after deployment, it was the same deployer wallet that allowed two days ago from our PLAY Hacking that steals all Titano in the protocol.”
"However, as security researcher Chiachih Wu pointed out, the smart contract code included a statement that allowed either the smart contract owner or the deployer of the contract to set the PrizeStrategy for the pool. The Titano hack was allegedly performed by the contractor using the original deployment address.
What Happened
The Titano Finance developers left a backdoor in the smart contract, and later exploited it to withdraw funds.
| Date | Event | Description |
|---|---|---|
| February 13th, 2022 9:49:09 PM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
According to the official Titano Finance investigation, “The problem arose when we trusted a contractor to deploy the PLAY contract. Although ownership was transferred back to us after deployment, it was the same deployer wallet that allowed two days ago from our PLAY Hacking that steals all Titano in the protocol.”
"However, as security researcher Chiachih Wu pointed out, the smart contract code included a statement that allowed either the smart contract owner or the deployer of the contract to set the PrizeStrategy for the pool. The Titano hack was allegedly performed by the contractor using the original deployment address. The contractor was able to exploit these privileges to steal 4828.7 BNB from the contract."
"The attackers made a total of 4,828.7 BNB, or about $190w." "The attackers – alleged to be contractors hired by the crypto project – stole 4828.7 BNB worth over $1.9 million."
Total Amount Lost
The total amount lost has been estimated at $1,949,000 USD.
Immediate Reactions
"On February 14, the Titano Finance project on the BSC chain was attacked." "On Monday 14th February 2022 a hacker was able to steal 4828 BNB from the PLAY protocol." "Titano PLAY was hacked today. Titano, DID NOT mint any tokens. The PLAY contract was compromised, by a malicious hacker who created more Titano Tickets."
"Titano PLAY was hacked today. Titano, DID NOT mint any tokens. The PLAY contract was compromised, by a malicious hacker who created more Titano Tickets."
"As most of you are aware, there was a hack today of Titano PLAY. It took us all by surprise because the protocol for the project is complicated and layered providing strong protection for us. We went through our usual security checks and only released it to the community when we were sure it was working flawlessly and was totally secure." "Needless to say this is disheartening and in addition to being angry, we are also taking every action to apprehend this person and have our funds returned."
"In the meantime we have stopped Titano PLAY until we have removed any vulnerabilities in it. We do not have a timeline to accomplish this, however we will work as quickly as possible while making sure all vulnerabilities are removed."
"And now a note to the hacker. First, we know who you and where you are, and we will be relentless in pursuing you. We will give you 24 hours to return the funds you stole with no penalty. If you do not, the deal is off the table. You should know that we and many of our 42,000 strong Titan community have amazing contacts and a long reach, and we will not let you rest because of what you have done. We consider your actions not just an attack on Titano and our more than community, but against all of the DeFi companies who are committed to helping people to change their lives and find financial freedom. Do the right thing and return the money or you will never be able to rest easy."
Ultimate Outcome
A bounty of $10,000 USD was paid for the discovery.
"The silver lining to this story is that we have been able to pin point the exact people behind this attack. We have ALL of their information and will pursue them. We are working with some excellent members of our community, developers, legal experts, and more and our evidence is strong. The hackers have now been linked back to KYC’d accounts and we will reach out to those exchanges too."
"The Titano team immediately pursued a course of action that allowed us to pinpoint the source of the exploit, identify the individuals involved and then open a dialog with these people. We applied maximum pressure and maintained consistent contact with the hackers in the hours and days since the incident." "During this period the team has been under considerable stress with FUD coming from external parties and even threats of violence coming from the hackers but we persisted."
"All Hacked Funds have been successfully recovered! We have amazing news to report. Our efforts in pursuing the hackers who stole the money from Titano PLAY have been fruitful and all stolen funds have now been returned." "Today however, our efforts bore fruit and the total amount taken in the hack was returned to Titano."
"We would also like to acknowledge one Titan in particular, sonnysege which provided us with critical information very early on, confirming our suspicions as to the identify of the hacker. The fact we were able to confront our hacker so quickly will have made a big impact and for this reason, the developers would like to award him/her with $10k from our team funds."
"In the meantime, the full amount will be returned to the community and added to the liquidity pool to increase price support and stability. This will happen after the token migration happens." "We are happy to announce that we are now ready to return the tokens to every Titan whose tokens were lost in the Titano PLAY hack." "PLAY depositors do not need to take any actions. The tokens will appear in your wallets."
Total Amount Recovered
The total amount recovered has been estimated at $1,949,000 USD.
"All Hacked Funds have been successfully recovered! We have amazing news to report. Our efforts in pursuing the hackers who stole the money from Titano PLAY have been fruitful and all stolen funds have now been returned."
Ongoing Developments
TBD
Individual Prevention Policies
While the Titano Finance smart contract was on-boarding with CertiK, this was not a completed audit. Even a single audit is typically insufficient, and it would be recommended to only trust projects with at least 2 separate independent audits prior to launch.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Users can minimize their losses by storing most funds offline, outside of any smart contracts.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The primary issue was that the smart contract contained a backdoor which allowed for the withdrawal of the prize strategy smart contract. This would likely have been caught by smart contract auditing, and if the protocol had obtained the audit prior to launching, the theft could have been avoided.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Keeping funds in a multi-signature wallet can provide a more secure alternative than in a more complex smart contract.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
An industry insurance fund could assist with any cases which fail, and also help appoint competent validators to avoid that failure.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Ensuring that smart contracts are reviewed prior to launch would most likely have caught the error before any user funds were affected.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund could assist with any cases which fail, and also help appoint competent validators to avoid that failure.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
- ↑ • Titano.finance | The Best Auto-Staking & Auto-Compounding Protocol in Crypto (Mar 11, 2022)
- ↑ @TitanoFinance Twitter (Mar 11, 2022)
- ↑ Titano - CertiK Security Leaderboard (Mar 11, 2022)
- ↑ Titano Finance - Auto Staking Legit or Scam Review? - YouTube (Mar 11, 2022)
- ↑ Amazing Update (Mar 11, 2022)
- ↑ @TitanoFinance Twitter (Mar 11, 2022)
- ↑ @TitanoFinance Twitter (Mar 11, 2022)
- ↑ Important Announcement (Mar 11, 2022)
- ↑ Titano.Finance AMA - Interview with David [Titano Core Team] - YouTube (Mar 11, 2022)
- ↑ @TitanoFinance Twitter (Mar 11, 2022)
- ↑ Important Update (Mar 11, 2022)
- ↑ @TitanoFinance Twitter (Mar 11, 2022)
- ↑ P L A Y Refund Updates (Mar 11, 2022)
- ↑ @TitanoFinance Twitter (Mar 12, 2022)
- ↑ TITANO PLAY was HACKED! Here's what YOU NEED TO DO NOW! - YouTube (Mar 12, 2022)
- ↑ Explained: The Titano Finance Hack (February 2022) (Mar 12, 2022)
- ↑ Defi Platform Titano Finance Hacked For 4,828 BNB - The Crypto Basic (Mar 12, 2022)
- ↑ @PeckShieldAlert Twitter (Mar 12, 2022)
- ↑ https://www.bscscan.com/tx/0x2755531c600ce4a5c00fbdc204c9d7ebbf64ad1db628ff690de4f3169114a583 (Mar 12, 2022)
- ↑ https://www.bscscan.com/address/0xad9217e427ed9df8a89e582601a8614fd4f74563 (Mar 12, 2022)
- ↑ Update on Hack. : TitanoFinance (Mar 12, 2022)
- ↑ Titano Finance Is Being Exploited, The Hacker Gains Nearly $1,9 Million - CoinCu News (Mar 12, 2022)
- ↑ Titano Finance recovers all stolen funds from Valentine's day hack and prepares for a smart contract upgrade (Mar 12, 2022)