TopGoal Hot Wallet Breach
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
TopGoal is a system of NFT collectibles featuring historic moments of football/soccer. One of the hot wallets for the TMT token was breached through an undisclosed means, and 4,809,984 TMT was taken, liquidated for 2,600 BNB. The original tokens were all belonging to the founding team. The funds were mixed through TornadoCash. An equivalent number of TMT tokens were withdrawn from the liquidity pool to restore the original token price.
This is a global/international case not involving a specific country. [1][2][3][4]
About TopGoal
"TopGoal is an officially licensed digital collectibles with NFT and blockchain empowered GameFi of football metaverse. We partner world famous football players, clubs as well as institutions to allow fans to collect legendary football player cards only owned by you, build your fantasy squad and participate in the football game of players from all over the world!"
"TopGoal team truly believes in the future of crypto and the potential of bridging sports to crypto through NFT and Gaming. The team has also committed lots of effort and resources to the project."
The Reality
The TopGoal hot wallet was vulnerable.
TBD - Exact method.
What Happened
The TopGoal hot wallet was breached and 4,809,984 TMT were stolen and exchanged for 2,600 BNB.
| Date | Event | Description |
|---|---|---|
| February 16th, 2022 3:05:00 AM MST | Announcement on Twitter | TopGoal posts on Twitter that TMT "was attacked and stolen by an outside exploiter"[5]. |
| February 16th, 2022 8:12:00 AM MST | Service Temporarily Suspended | TopGoal announces on Twitter that they have suspended their website temporarily during the ongoing investigation, and will resume the service once the investigation is complete[6]. |
| February 16th, 2022 4:03:37 PM MST | TopGoal Medium Post | TopGoal announces on Medium that they have experienced a hacking event in which their operation hot wallet was compromised. The hacker transferred 4,809,984 TMT tokens from the hot wallet to another address and converted them into over 2600 BNB on PancakeSwap. The hacker then used Tornado to transfer the BNB out of the address. User assets, including NFTs and TMTs, remained unaffected and secure during the attack. The TopGoal team temporarily suspended platform services to protect user assets and has been working on enhancing the security of the hot wallet to prevent future attacks. To mitigate the impact on the TMT price, the team will rebalance liquidity pools on PancakeSwap, BiSwap, and Mars by removing an equivalent amount of compromised TMT tokens. The service will resume once the investigation and liquidity pool rebalancing are completed. The team will provide updates on social channels and strive to minimize the negative effects of the attack[7]. |
| February 16th, 2022 4:12:00 PM MST | Latest Update And Solution | TopGoal shares their "[l]atest update and solution of today’s attack" on Twitter[8]. |
Technical Details
TBD
TopGoal announces on Medium that they have experienced a hacking event in which their operation hot wallet was compromised. The hacker transferred 4,809,984 TMT tokens from the hot wallet to another address and converted them into over 2600 BNB on PancakeSwap. The hacker then used Tornado to transfer the BNB out of the address. User assets, including NFTs and TMTs, remained unaffected and secure during the attack. The TopGoal team temporarily suspended platform services to protect user assets and has been working on enhancing the security of the hot wallet to prevent future attacks. To mitigate the impact on the TMT price, the team will rebalance liquidity pools on PancakeSwap, BiSwap, and Mars by removing an equivalent amount of compromised TMT tokens. The service will resume once the investigation and liquidity pool rebalancing are completed. The team will provide updates on social channels and strive to minimize the negative effects of the attack[7]. TBD - split out and move to other sections.
Total Amount Lost
The total amount lost has been estimated at $1,113,000 USD.
"The hackers transferred a total of 4,809,984 TMT from the TopGoal-operated hot wallet to the[ir] address. The hackers then exchanged all those TMTs from PancakeSwap for over 2,600 BNB and used Tornado to transfer the BNB out of the address."[9]
Immediate Reactions
"Today TopGoal operation hot wallet was attacked and compromised." "Hot wallets operated by TopGoal were attacked and compromised. In this hack, only the hot wallet operated by TopGoal, which manages the distribution of TopPrize rewards, was affected. All user assets including NFTs and TMTs are safe." "Our tech team has been investigating this issue and collaborating with BNB chain (previously known as BSC) to rule out future attacks."
"TopGoal’s tech team has confirmed the hacker attacked the TopGoal’s service to distribute TMT rewards of TopPrize event. All users’ wallets and assets on the platform have not been attacked. The tech team has been working on enhancing the security of the whole platform service to prevent future hacking events. The team is also collaborating with industry partners to track down the hacker."
"The liquidity pool attacked by the hacker on PancakeSwap was 100% contributed by the TopGoal team initially with $1 million self fund." "TopGoal team has suspended the platform service temporarily in order to protect users' assets as soon as the attack was identified."
"The hackers transferred a total of 4,809,984 TMT from the TopGoal-operated hot wallet to the[ir] address. The hackers then exchanged all those TMTs from PancakeSwap for over 2,600 BNB and used Tornado to transfer the BNB out of the address."
Announcement On Twitter
TopGoal posted a series of Tweets as their investigation unfolded[5][6]. TBD rest of Tweet into timeline.
$TMT was attacked and stolen by an outside exploiter. At present, $TMT is safe. Investors do not need to worry about this problem. TopGoal team is checking the issues and working on solutions.
The team has been investigating the attack just happened. Only TopGoal operational wallet has been attacked and compromised, which is used for TopPrize. All NFTs and TMT in users’ wallets are safe. The team is still digging into the issue and make sure there is no further impact.
The services of TopGoal website have been suspended temporarily due to the ongoing investigation. The services will be resumed soon once the investigation is done. Tech team is also working on security improvement. Please wait for further updates.
Reactions on Twitter
"TMT was stolen by hackers, how to remedy it? Our early investors lost a lot."
"Is the investigation clear? It's easy to investigate. See if you stole it yourself."
"hello on we are counting on you to manage this problem But the value of tmt has lost 50% Don't worry?"
"I don't understand why all those Stars hired and for finaly hack only about 1million USD value.... I don't think such energy and time was wasted for only steal 2660 bnb unless the hacker got mental issues..."
"Stop with negativity guys, Team will cease through, give strenght, your value and theirs took a hit, we weren't the only ones (investors)"
Ultimate Outcome
"The services of TopGoal website have been resumed now. Users can deposit and withdraw TMT or stable coins. If you have requested withdrawal during the temporary suspension, the funds are returned to your TopGoal account."
"The team has been working with BNB Chain, BSCScan, PeckShield, Certik and other related partners to solve this issue and resolve the unnecessary misunderstanding and concerns among its community." "The tech team has been working on improving the security of the operation hot wallet to make sure attacks are prevented in the future
"[I]n order to mitigate the negative impact on TMT price, the team has decided to rebalance the entire liquidity pools on PancakeSwap, BiSwap and Mars to restore the stability of the TMT-BUSD price. TMT tokens equal to the amount (4,809,984) compromised through this attack will be withdrawn from the pools. All the BUSDs remain in the liquidity pools."
Total Amount Recovered
The total amount recovered has been estimated at $1,113,000 USD.
Ongoing Developments
TBD
Individual Prevention Policies
The TopGoal smart contract hot wallet was not secure. Users are best to avoid platforms that are unable to prove their proper security.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Users can protect themselves and minimize risk by storing most funds offline.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The primary issue was around the security of the hot wallet storing the funds. This needs to be in a proper multi-signature wallet.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
An industry insurance fund can protect users further and assist with selection of credible validators.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
A better inspection of the platform hot wallet security would have prevented this exploit.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund can protect users in the event of an exploit happening.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
- ↑ https://medium.com/@TopGoal_NFT/follow-up-on-topgoal-hacking-event-8a0b3debe608 (Mar 11, 2022)
- ↑ https://bscscan.com/address/0x7f0d082d08874a57110c73a8853967e7c19d1a6e (Mar 11, 2022)
- ↑ TopGoal suffers 4,809,984 TMT loss by Stolen hot wallet - Opera News (Mar 11, 2022)
- ↑ 5.0 5.1 TopGoal - "$TMT was attacked and stolen by an outside exploiter. At present, $TMT is safe. Investors do not need to worry about this problem. TopGoal team is checking the issues and working on solutions." - Twitter (Jul 11, 2023)
- ↑ 6.0 6.1 TopGoal NFT - "The services of TopGoal website have been suspended temporarily due to the ongoing investigation. The services will be resumed soon once the investigation is done. Tech team is also working on security improvement. Please wait for further updates." - Twitter (Mar 11, 2022)
- ↑ 7.0 7.1 Latest Update and Solution of Today’s Hacking Event - Top Goal Medium (Mar 11, 2022)
- ↑ TopGoal_NFT - "Latest update and solution of today’s attack" - Twitter (Mar 11, 2022)
- ↑ https://coinmarketcap.com/currencies/bnb/historical-data/ (Feb 15, 2022)
- ↑ lcccccc_ - "TMT was stolen by hackers, how to remedy it? Our early investors lost a lot." - Twitter (Jul 11, 2023)
- ↑ Joker - "Is the investigation clear? It's easy to investigate. See if you stole it yourself." - Twitter (Jul 11, 2023)
- ↑ Torpille - "hello on we are counting on you to manage this problem But the value of tmt has lost 50% Don't worry?" - Twitter (Jul 11, 2023)
- ↑ Zouz - "I don't understand why all those Stars hired and for finaly hack only about 1million USD value.... I don't think such energy and time was wasted for only steal 2660 bnb unless the hacker got mental issues..." - Twitter (Jul 11, 2023)
- ↑ Rjnutshelfish - "Stop with negativity guys, Team will cease through, give strenght, your value and theirs took a hit, we weren't the only ones (investors)" - Twitter (Jul 11, 2023)