QI Quadriga Initiative

Feb 2022 - Dego Finance Key Compromised - $10m (Global)

"DEGO Finance is an NFT+DeFi protocol and infrastructure with two functions: The project acts as an independent and open NFT ecosystem drawing users to the blockchain space. The NFT Suite offers services covering the full NFT lifecycle, enabling anyone to issue NFTs, participate in auctions, and trade NFTs."

"DEGO Finance is also building an NFT protocol to provide a cross-chain Layer 2 infrastructure. By building on multiple blockchains such as Binance Smart Chain, Ethereum, and Polkadot, DEGO Finance enables blockchain projects to acquire users, distribute tokens and develop more diverse NFT applications." "Recently, DEGO has embarked on a new journey on GameFi and will input more on R&D of Blockchain Games, Tokenisation of Game Assets, Asset Lending, and more."

"For the uninitiated, Dego Finance saw the light of day in 2020 and offered both DeFi and NFT tools. It claimed to be an open-NFT ecosystem that allowed users to mint non-fungible tokens initiate NFT mining in addition to auctions and trading."

"It also offers a cross-chain infrastructure to facilitate blockchain ventures to ramp up the user base, distribute tokens, as well as develop more diverse NFT-based apps. In March 2021, Binance announced listing the project in the Innovation Zone."

"At 3 AM UTC 10th/Feb/2022, we detected abnormal change of DEGO price on DEX and centralised exchange too." "$10M taken from Dego Finance and their partner Cocos-BCX."

"The hacker has drained DEGO pairs liquidity provided by the team on UniSwap and Pancake Swap, subsequently stealing 2613.40 BNB, 378.76 ETH and 492,316.41 DEGO tokens." "The hacker also hijacked DEGO’s Minting contract and minted a total of 1,185,164.71 DEGO tokens." "The exploiters withdrew more than $10 million from @dego_finance & @CocosBCX!"

"The team looked into this anomaly and quickly concluded there has been a well-organised hacking event from approx. 11:29 PM UTC 9th/Feb/2022, targeting DEGO team addresses hosting DEGO tokens and DEX liquidity (DEGO/ETH, DEGO/BNB)."

"We have just found out that our address providing liquidity on @UniSwap & @PancakeSwap was hacked hence DEGO pairs liquidity provided by the team was drained. We have already contacted operation team @binance, @kucoincom, @gate_io. They have closed deposit on DEGO."

"Dego have claimed this to be a case of compromised keys." "Dego Finance’s official Twitter handle claimed that its own address providing liquidity on popular decentralized exchanges – Uniswap and PancakeSwap – was compromised. As a result, DEGO pairs liquidity provided by the team was drained."

"We've always been there. Today is a sad day. We are investigating the cause and trying to recover the loss."

"Attacker’s address (0x118…c91) obtained assets worth more than $2.4 million on BSC, more than $4.9 million on ETH. Even assets on Cronos 196,256.723USDT and 199,401.967USDC were exploited."

"The hacker used Tornado.Cash to mix funds." "The Hacker liquidated 1,288,233.59 DEGO tokens through an instant exchange service (DEGO Price fell by 12.90% from $4.42 — $3.85 by 12 PM UTC 9th/Feb/2022), which operates accounts on centralised exchanges and offers No-KYC service. Some of the proceeds were converted to BTC and XMR." "Dego Finance’s token, DEGO took a severe beating following the hack. It slumped by almost 20% from $4.50 to $3.65 in the wee hours of Thursday morning."

"The team contacted major exchanges in private and made public announcements on Twitter to warn all centralised exchanges. We were lucky to receive a quick response from some exchanges that they have shut down DEGO token deposits temporarily to shield users from potential damage on markets."

"Post the news, different exchanges such as Binance, Kucoin, and Gate.io shut all deposits of its native governance and equity token, DEGO. The protocol urged Uniswap, Poloniex, PancakeSwap, WazirX, etc., to do the same to offset the losses.

"After going through all team addresses, we have rescued a good amount of DEGO tokens and stored them somewhere safe."

"We engaged SlowMist and Certik and PeckShield teams for professional advice and solutions." "We worked with EtherScan team and some of hacker’s addresses has been marked."

"Second, we have also heard a lot of conspiracy theories, and we would like to clarify that the team’s assets suffered the most financial loss in this incident, making us the biggest victim. We have been working hard on solutions and are pursuing help from law enforcement."

"A total of 602,562.35 DEGO tokens are still in the hacker’s possession but cannot be liquidated in major exchanges since the lockdown."

“We’ll keep all stakeholders updated on the latest developments, as well as talk to reputable security teams on how to identify the hacker and retrieve loss. We would ask the hacker to come forward and communicate.”

"After the incident, we are happy to receive people's caring messages and helping hands. We'll keep all of you updated on the latest developments while working on a solution for remedy."

And posting interesting quotes: "Do you believe that there's an alternative self in parallel time&space? If each parallel world is a light, how many lights do you think are still on? Does the external world still exist? From an idealist view, when our consciousness disappears, the world will disappear."

"Despite their poor security decisions, the DEGO price chart shows a steady recovery, perhaps due to their large following on Twitter (~194K) and other medias."

"Since the attack, Cocos-BCX have switched ownership to a multi-sig."

Further Analysis

Dego Finance offers a foundation for NFT projects to acquire users, distribute tokens, and auction or trade NFTs. It was a relatively unknown project when they fell under attack, apparently due to compromised keys. The entire liquidity pool was drained and funds were successfully mixed through TornadoCash. While the project initially stated intention to reimburse affected users, thus far their communication has been cryptic and no plan has come forth.

How Could This Have Been Prevented?

The way to protect the project was simple - use a multi-sig. The problem appears to have come about because there was only one key, and that key was compromised. Our framework proposes that uninsured user funds be placed in an offline multi-signature wallet, held by known trained individuals.

More Cryptocurrency Exchange Hacks/Scams/Frauds

FutureSwap Credential Disclosure > > < < BabyMuskCoin Honeypot Rugpull

Sources/Further Reading

Rekt - Dego Finance - REKT (Feb 18)
https://dego.finance/home (Feb 21)
What is dego.finance - dego.finance (Feb 22)
@dego_finance Twitter (Feb 22)
DeFi hack: DEGO Finance loses over $10M, urges exchanges to stop all deposits - AMBCrypto (Feb 22)
@PeckShieldAlert Twitter (Feb 22)
@dego_finance Twitter (Feb 22)
To Dego Community Summary Of The Event After A Thorough Investigation And Efforts (Feb 22)
@dego_finance Twitter (Feb 22)
Breaking: Binance Listed DeFi Protocol DEGO Finance Hacked (Feb 22)
Morioh (Feb 22)
DeFi Project Dego Finance Hacked: Exploiters Reportedly Drain Over $10M (Feb 22)
https://coinmarketcap.com/currencies/dego-finance/ (Feb 22)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.