QI Quadriga Initiative

Oct 2021 - BXH Exchange Private Key Leak - $139.195m (China)

"Boy X Highspeed (BXH) [is] a decentralized cross-chain exchange." "BXH is an innovative one-stop decentralized trading platform." The BXH "[p]roject is a DEX on Huobi Eco Chain mainly aimed at the Chinese market, an English interface is also available. "BXH" stands for "Bitcoin DEX on HECO""

The BXH token is a "[g]overnance token for [the] BXH DEX, farmed through liquidity mining similar to other DEX tokens, a certain amount of tokens are repurchased and burned.

"On October 30th, the private key of the decentralized revenue protocol BXH was stolen and lost approximately US$139 million in encrypted assets." "The attacker gained access to the stolen funds due to a failure to properly protect the administrative key of the project’s account on the Binance Smart Chain (BSC)." "With this private key, the attacker was able to digitally sign a transaction transferring $139 million in tokens from BXH’s account on BSC to their own account."

"The decentralized transaction protocol BXH tweeted that the assets of the protocol on the Binance Smart Chain (BSC) chain were hacked." "DeFi trading platform BXH said in multiple tweets that it was being attacked on BSC, resulting in the theft of about US$130 million. It said that assets on other chains are safe and not affected, and it has locked BXH contracts on OEC and HECO chains for asset security reasons."

"The security incident occurred on the BSC chain. According to official statements, the on-chain assets of Ethereum, OEC, and Heco were not affected, but for security reasons, all on-chain deposit and withdrawal functions have been shut down."

"Due to the attack occurring in China, where most of BXH’s technical staff operate, an inside job is the current running theory. However, it’s possible a hacker planted a virus on the BXH site that was clicked by an administrator, granting the thief access to a computer with private key privileges." "The inside-job theory is supported by findings that indicate the attacker was in China, where most of BXH’s technical team is based, according to the CEO."

"According to the analysis of the blockchain security agency SlowMist Technology, the hacker deployed the attack contract 0x8877 ​​at 13:00 on the 27th (UTC), and then the BXH wallet address 0x5614 at 8:00 on the 29th (UTC) will manage permissions through grantRole The attack contract 0x8877 ​​was given. At 3 o'clock on the 30th (UTC), the attacker obtained the authority by attacking the contract 0x8877 ​​to transfer the assets under his management from the BXH vault. The vault was suspended at 4 o'clock on the 30th (UTC) at the wallet address 0x5614. Therefore, BXH was stolen this time because its management authority was maliciously modified, causing the attacker to use this authority to transfer project assets. At present, 4000 ETH in the hacker's initial address has been transferred from BSC to ETH, and 300 BTCB was converted into renBTC and transferred to the new address."

The hack "that drained $139 million of funds was probably the result of a leaked administrator key, and possibly an inside job, CEO Neo Wang told CoinDesk." "Based on a consultation with an external security team, BXH says the hacker was probably able to break into the exchange’s Binance Smart Chain address after getting hold of the administrator’s private key, Wang said."

"Work with Peckshield to monitor and track stolen assets and update the status of stolen assets to the community. Notified O3Swap and requested the emergency shutdown of the BSC cross-chain bridge. Notified AnySwap and requested it to add the hacker address to the blacklist ASAP. Contacted renBridge, but renVM said that it didn't have a blacklist mechanism. Emailed USDC to freeze the account, but Centre.io said that it needed a court order. BXH has contacts a Delaware lawyer to follow up. With the support of Peckshield, BXH comprehensively analyzed the cross-chain bridge used by the attacker and the attack process, preliminarily profiled the attacker, and the possible countries where the attacker might be located. Contacted the Heco team to assist in risk control over the BXH platform contracts. Filed a police report to Hunan police with the community members. Peckshield provided the investigation report and relevant data to the police. All BXH staff actively cooperated with the police, such as taking deposition, etc... Contact Huobi to investigate the registration information of the Gas fee withdrawal account. Sought help from SlowMist to jointly track assets and analyze the attacks. Contacted Lossless, the overseas security company, and prepared the English report. Contacted the listed domestic security company DAS-Security to check the server."

"After repeated tests by multiple parties, it is now confirmed that all security loopholes on the ETH chain have been eliminated, and the multi-signature upgrade for private key verification has also been completed." "In order to further ensure the security of users' assets on BXH, BXH has decided to fully upgrade its contracts, both the main contract and the dispatch contract." "To complete the upgrade, we need to postpone the reopening time on the ETH chain to 20:00 on November 14, 2021, Beijing time. By then, the front-end of BXH will also be opened, and all third-party APIs will need upgrading. BXH will provide necessary information such as APIs at the same time."

"Thanks to the cooperation and support of all parties, BXH has resumed its service on OEC and ETH after the attack on October 30, 2021. Now BXH is striving to resume its service on HECO and BSC."

"After the October 30th event, the remaining assets in the BSC chain have been transferred to the secure multi-signature contract address." "A draft solution for the stolen assets of the BSC chain will be publicized before 20:00, November 18, 2021, Beijing time. Once the solution is finalized, BXH will announce and execute it in no time." "In addition, BXH announced the first draft plan about its assets on in the community on November 18, and received a lot of opinions and feedback. BXH thank you for your support and valuable contribution."

"A case has been filed with China’s network security police, and a bounty of $1 million has been offered to any team that helps retrieve the funds. If the hacker is not found and/or funds are not returned, BXH has claimed it will accept full responsibility for the lost funds and provide a user repayment plan for those affected." "BXH has also filed a case with China’s network security police, a special force that investigates digital crime, the CEO said."

"As the team is trying the best to get the incident cleared in cooperation with authorities and third party security team. We also offer a bonus at amount of $ 1 million to any white hat team who can help us retrieving user's assets that got theft." "The total reward pool has now risen to 10 million US dollars!"

“To the exploiters again, please return the funds to the fund pool immediately and we will recognize your actions as white hat and offer bonus,” BXH said in a tweet, adding that it will offer a bonus of US$1 million to any white hat team that could help retrieve users’ assets.

"If the hacker is not found or returns the money, BXH will take full responsibility for the incident and figure out a user repayment plan, Wang said." "We want to thank the community for your patience during the cause of the attack. We would come back stronger."

"We are glad to announce the reopening of $BXH on #HECOCHAIN." "The withdrawal of tokens on BXH.COM will start from 22:30 November 28th, 2021 as the new smart contract audited by Peckshield has been deployed on Binance Smart Chain. Users can get their withdra[wa]l token XDT according to the amount of the assets they hold on the platform." "The opening of the withdrawal is the first step of BXH's return. Thenk you all for the patient awaiting. And we hope you will cont[i]nue the journey with us."

Further Analysis

BXH is a decentralized exchange platform which appears to be run by a team in China. However, the authority to make changes resided within the hands of a single team member. This private key was breached by an unknown means, and the attacker has not returned any funds. A $10m reward has gone unanswered.

The project has relaunched on most chains, and is working on a recovery. However, it's unclear if any of the affected users have been compensated yet at this time. They set up a multi-sig to prevent future issues.

How Could This Have Been Prevented?

The way to prevent the issue is through a multi-signature arrangement, and also through storing keys safely offline. There is no reason that a key needs to leave an offline medium.

More Cryptocurrency Exchange Hacks/Scams/Frauds

Kaiju Kingz Discord Hacked > > < < AutoShark Finance Flash Loan Attack

Sources/Further Reading

SlowMist Hacked - SlowMist Zone (Nov 6)
BXH Token (BXH) price today, chart, market cap & news | CoinGecko (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
@BXH_Blockchain Twitter (Dec 16)
Another DeFi platform, BXH, suffers $130M exploit (Dec 16)
$139M BXH Exchange Hack Was the Result of Leaked Admin Key (Dec 16)
https://inf.news/en/economy/f58093b769e3310151440138a17f33f9.html (Dec 16)
Reflection on BXH coin theft case: what are the reasons and lessons for hackers to "destroy" the domestic machine gun pool in the most primitive way (Dec 16)
CYBAVO - Could Multi-Party Computation (MPC) Have Stopped BXH and bZx Crypto Exchange Hacks? (Dec 16)
Explained: The BXH Exchange Hack (October 2021) - halborn (Dec 16)
https://blog.insurace.io/security-incidents-in-october-cfed829449d0 (Dec 16)
Binance Smart Chain project hack leads to theft of $139 million | ambcrypto.com (Dec 17)
https://mobile.twitter.com/certikorg/status/1454469066370998277 (Jan 10)


Join Us!

Name: Email:

t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com

Sign-Ups: 92%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.