$83 000 USD

MARCH 2022

GLOBAL

PIRATE X PIRATE

DESCRIPTION OF EVENTS

"Pirate X Pirate is a Blockchain gaming platform with a pirate theme. It is a world where you earn through your adventures across the high seas. Recruit your crew, form your fleet, and test your prowess battling against other pirates to earn money. With your fleet, you will participate in building a pirate metaverse with its own self-contained economy."

 

"The pledge contract of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account. When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back."

 

"The staking contract of Pirate X @PXPNFTsGame has been attacked. We suspect it's due to the private key leakage (since the attacker leveraged a valid signed message to launch the attack)." "The staking contract of Pirate X Pirate was attacked by an attacker, resulting in the loss of the PXP token. When user deposit their PXP token into this contract, their token will be transferred into an EOA account. The contract will call `Transferfrom` to transfer these funds back when user withdraw their tokens. When users withdraw their funds, they will submit a signature signed by a singer controlled by the project. The attacker provided a valid sign of the external signer and withdraw 9,681,000 PXP tokens."

 

"A purported hacker breached our $PXP/$GOLD conversion feature and was able to replicate multiple instances of $PXP conversion before selling off, between 21:13–21:14 UTC, a total of $PXP 9,681,000 which is accounted to 0.9681% of the total supply."

 

"The attacker [sold off] more than 9.6 million $PXP" "The attackers put these tokens on the market and made a profit of about 212 BNB."

 

"PXP Team has bought back the total of $PXP 9,681,000 which will be returned to the reward pool." "We have decided to dismiss our current developer team and are currently in the process of recruiting a new team to assume the responsibilities."

 

"To ensure the security of the system and prevent such issue from happening again, we need to temporarily close the conversion feature and have the game codes reviewed by a trusted auditor. We are currently contacting an auditor and will keep you posted once the discussion concluded."

 

"The past week has been quite harsh following the hacking incident we wish had never happened. We really appreciate the support from all of you who have faith in us and continue on the journey with PXP. Our main focus now is to relaunch the token conversion system as fast and secure as possible. Immediately after our announcement about the incident, we proceeded to have the codes audited and consulted with the auditing party about the time required for their processes. We were informed that it would take at least 20 business days to complete the task, in other words, a whole calendar month."

 

"The estimated downtime was too long for us to consider the best option given our situation. We finally reached a conclusion to implement our contingency plan that would provide the most secure yet readily available solution in the meantime; The Withdrawal System will require you to submit a withdrawal request (converting $GOLD to $PXP) which will be verified and approved within 24 hours. Once approved, $PXP will be sent to your wallet. Players no longer need to pay gas fees for withdrawal. Players cannot convert $PXP to $GOLD for the time being."

 

"A hearty thank to all of you who stay on board with us."

The Pirate X Pirate NFT game suffered a breach that resulted in 212 BNB (~$83k USD) worth of funds being taken. The breach appears to be the result of a private key leak, and very limited details have been published on how the key may have leaked. The company has instead fired their development team and hired external contract auditors.

HOW COULD THIS HAVE BEEN PREVENTED?

Clearly, the issue here is that control over the smart contract needs to be in a multi-signature arrangement, to prevent a single individual being exploited or acting maliciously. All key holders need to be trained on how to properly protect their key.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.