TonUP Smart Contract Configuration Error

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

TonUp Logo/Homepage

TonUp is a launchpad for projects on the TON blockchain to get initial funding and validation. The project suffered an exploit due to a misconfiguration in the smart contract, which allowed an unauthorized withdrawal from the TonUp staking contract. The TonUp project has released a high level summary and promised to reimburse users, but the specific exploit transaction was not provided, and it does not look like any third party analysis has been performed into the attack or where the funds went.[1][2][3][4][5][6][7][8][9][10]

About TonUP

"TonUP is an innovative platform built on the TON Blockchain that aims to revolutionize the way projects are launched and supported in the crypto space. It provides a comprehensive ecosystem for token launches, community participation, and project growth. TonUP is on a mission to discover and nurture the most promising projects out there, bringing exciting opportunities to the wider community. With the unwavering support of TON Foundation and Foresight X, they are dedicated to empowering assets with remarkable potential on the TON Blockchain, fostering the growth of a vibrant TON ecosystem."

"An Initial decentralised Offering (IDO) is a type of public offering in which a cryptocurrency project launches a new token on a launchpad or DEX. This method has gained popularity as it allows anyone to contribute to the initial offering, providing equal opportunities for all."

"The TON ecosystem Launchpad platform TonUP announced on social media that its recently launched staking contract was attacked, resulting in a loss of 307,264 UP tokens. Upon investigation, it was found that the incident was due to the smart contract engineer incorrectly configuring script parameters, leading to users mistakenly claiming staked UP assets."

"TonUP strongly prioritizes the security of its platform and the safety of its users. It has in place robust protection measures such as secure transaction environments and constant monitoring of the platform's activities to avert any malicious actions."

The Reality

"When dealing with cryptocurrencies, potential risks can arise from market volatility, technological vulnerabilities, and smart contract risks.Smart contracts are self-executing contracts with the terms of the agreement directly written into code. They are used widely in the crypto space for transactions and agreements. However, if a smart contract has a flaw or is not written properly, it can be exploited by malicious actors leading to potential risks and losses. This emphasizes the need for rigorous testing and auditing of smart contracts before they are deployed.

Therefore, although TonUP takes significant steps to ensure safety, it is important for users to make investments responsibly and with a thorough understanding of these aspects. Knowledge about your investments, paired with understanding the inherent risks in cryptocurrency investments, is critical."

What Happened

The TonUp recently launched staking contract was attacked, resulting in a loss of 307,264 UP tokens.

Key Event Timeline - TonUP Smart Contract Configuration Error
Date Event Description
May 21st, 2024 1:48:00 PM MDT TonUp Status Update TonUP posts a tweet to acknowledge the attack and state that they are reimbursing all users. Assets are reportedly safe and staking rewards will be airdropped at the end of the period of repair.
May 24th, 2024 4:34:00 AM MDT TonUp Status Update TonUP posts a tweet with more details about the incident, and that they have attributed it to an engineer misconfiguring their smart contract. They provide some transactions about reimbursements which are in progress. No blockchain transaction representing the exploit is provided.
June 11th, 2024 9:05:00 AM MDT Sixth Buyback Completed TonUP announces that they have now completed the sixth round of token buyback and burn.

Technical Details

"Upon investigation, it was found that the incident was due to the smart contract engineer incorrectly configuring script parameters, leading to users mistakenly claiming staked UP assets."

Total Amount Lost

"resulting in a loss of 307,264 UP tokens."

The total amount lost has been estimated at $108,000 USD.

Immediate Reactions

"The TON ecosystem Launchpad platform TonUP announced on social media that its recently launched staking contract was attacked, resulting in a loss of 307,264 UP tokens."

"All your funds are currently safe. Staking reward claim is temporarily disabled and rewards will be airdropped to you at the end of the staking period. You will be able to unstake normally after staking period ends."

"It is with deep regret that we must inform you of an unfortunate incident that occurred shortly after our recent staking event aimed at commemorating the prosperity of the TON ecosystem. Despite the initial success and widespread participation in the event, we regretfully report that our platform was subjected to a malicious hack, resulting in the loss of 307,264 $UP tokens from the $UP/ $TONG staking contract."

"This unprecedented breach is an unacceptable violation of the trust we have worked so hard to build with our community. As the core Launchpad of the TON network, we have made the decision to take full responsibility for this incident and cover all losses sustained.

To that end, we have allocated a significant amount of $USDT to buyback the full 307,264 $UP tokens that were loss. The excess $UP tokens purchased will then be permanently destroyed.

Additionally, we want to assure all users that your staking assets and rewards will be fully protected. Staking reward claim is temporarily disabled and rewards will be airdropped to users at the end of the staking period. Users will be able to unstake normally after staking period ends."

Ultimate Outcome

"Moving forward, we will be doubling down our efforts to strengthen the security of our contracts and our operations. We will also consider open-sourcing certain components to allow more community participation in ongoing bug hunting and co-development projects.

The TON ecosystem and our community mean everything to us. We remain steadfast in our commitment to this network and to you, our valued users. We are here, and we will overcome this setback together."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Jun 10, 2024)
  2. @TonUP_io Twitter (Jun 11, 2024)
  3. @TonUP_io Twitter (Jun 11, 2024)
  4. Records of Buyback and Burn - TonUP Disclosure Plan - #5 by TonUP_news - Announcement - TonUP Community (Jun 11, 2024)
  5. TonUP | Linktree (Jun 11, 2024)
  6. TONUP (Jun 11, 2024)
  7. @TonUP_io Twitter (Jun 11, 2024)
  8. TonUP claims that the pledge contract was hacked and plans to allocate more than 100,000 USDT to repurchase tokens to compensate users (Jun 12, 2024)
  9. TonUP: Nurturing TON Ecosystem Growth Through a Community-Centric Launchpad and Rigorous Due Diligence for Vetted Crypto Projects. | by Betecegold | Medium (Jun 12, 2024)
  10. Cite error: Invalid <ref> tag; no text was provided for refs named unnamed-14233

Cite error: <ref> tag with name "twitter-14233" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=TonUP_Smart_Contract_Configuration_Error&oldid=6024"