Jul 2021 - Umbrella Network ChainSwap Exploit - $417k (Global)
"Umbrella is the first truly decentralized oracle service providing low cost, massively scalable, and secure solutions for smart contracts."
"Umbrella Network is well-known as a community-owned, scalable oracle for blockchain technology and DeFi. The Layer 2, DeFi oracle platform makes use of the Merkle tree technology to facilitate the provision of cost-efficient, scalable, and reliable price oracles. UMB also operates by facilitating the secure and accurate processing of transactions in batches. The DeFI oracle platform is also focused on ensuring the DeFi space is truly decentralized."
"We provide access to data previously unavailable to blockchain developers, and at a far lower cost than any other oracle in the industry. And with over 1,200 data pairs available, we offer more data than any other oracle in the ecosystem."
"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain."
Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."
"The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC." "The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."
"According to official sources, the DeFi oracle Umbrella Network was stolen over 3 million UMB tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge." "Hackers stole a little over 3 million $UMB tokens on ETH from the Chainswap vault, which was the entirety of the UMB tokens available there. We have now come to understand that the hackers also managed to mint an additional 20 million in UMB tokens on the BSC side, but did not manage to sell them before all UMB tokens there were frozen."
"Chainswap said it had already repurchased a small amount of the affected tokens from the market and returned the contract wallet. The rest will be paid out in full by the Chainswap vault." "ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects." "In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety."
"For now, Chainswap has temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."
“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.
"While we will not need to change any of our token contracts on the Ethereum side, it has become apparent that we will need to create a new UMB token contract on BSC to address the previously mentioned issue of the additional tokens minted by the hackers."
"Our plan to address this will be to issue the new token contract, and airdrop the new UMB tokens to all token holders on BSC to replace the frozen ones on a 1:1 basis. We will also be airdropping an additional % of new UMB tokens to all UMB token holders on BSC as a bonus, in an effort to address some of the concern around the opportunity cost of having UMB tokens frozen while we investigated the hack."
"There are several steps we will need to take, including issuing the new contract, getting the new token listed with Etherscan, CoinGecko, and CMC, and then getting things set up with PancakeSwap. Subsequent to that we will then airdrop the new UMB tokens on BSC to replace the frozen ones on a 1:1 basis. All UMB token holders on BSC, you do not need to do anything. We will be automatically airdropping you the new tokens."
"You should hold in the wallet we airdropped to, and based on how long you hold onto those tokens, you will receive a bonus." "The bonus is tiered so you must hit the 25, 50, 75, and 100-day thresholds to get those tiers of bonuses." "In terms of the $UMB token buyback scheme, we initiated to counteract the additional $UMB sold by the hackers into the market, as of 20th of July Umbrella has already bought back about 95 ETH worth of $UMB, with a remaining 15 ETH still to be still spent."
Further Analysis
Umbrella Network provides a price oracle. The UMB token, used by the oracle, could be swapped between chains using the ChainSwap bridge. As part of this process, a large number of UMB tokens were stored in a smart contract hot wallet. There was also a minting function which was accessible to the external smart contract.
The hacker exploited the ChainSwap vulnerability to remove the tokens and gain access to the minting function. They then dumped the resulting tokens onto the market and attempted to cash out.
How Could This Have Been Prevented?
Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited. In this situation, the project did the best they could to reimburse their users against all loss. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts) and all minting should be authorized through a multi-sig of known trained operators. Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.
More Cryptocurrency Exchange Hacks/Scams/Frauds
DeFiPie Nested Borrows > > < < AnySwap ECDSA Exploit
Sources/Further Reading
SlowMist Hacked - SlowMist Zone (May 18)
Community Owned, Decentralized Oracle | Umbrella Network (Aug 21)
Umbrella Network (UMB) Gains Three New Partnerships (Aug 21)
Chainswap Black Sunday, over 20 DEFI projects were stolen - 律动BlockBeats (Aug 24)
ChainSwap Exploit 11 July 2021 Post-Mortem | by ChainSwap | Medium (Aug 24)
MappableToken | 0x06c24002f43e3AF904EeEc581734EA3A7DbF355E (Aug 24)
ChainSwap Exploit Leads to Multi-Million Loss For DeFi Tokens - Decrypt (Aug 24)
@chain_swap Twitter (Aug 24)
Explained: The ChainSwap Hack (July 2021) - Halborn (Aug 24)
$8 Million Lost in Major ChainSwap Exploit | Crypto Briefing (Aug 24)
Umbrella Network Update On Chainswap Hack (Aug 24)
Announcement Of New Token Issuance On Bsc And Related Updates (Aug 24)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|