Hacker Makes Off with $12 Million in Latest DeFi Breach
Cross-Chain Protocol pNetwork Offers Hacker ‘Clean’ $1.5 Million Bug Bounty
Stay tuned for updates on this developing story.
See Also: Accelerate Incident Response Times with Automated Investigation
In the latest security incident involving a decentralized finance protocol, cross-chain project pNetwork announced Sunday it had been hacked for 277 pBTC, a form of wrapped bitcoin, with losses worth over $12 million at current value.
In a series of tweets announcing the incident, pNetwork said, “We’re sorry to inform the community that an attacker was able to leverage a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its collateral). The other bridges were not affected. All other funds in the pNetwork are safe.”
“The bridges will run with extra security measures in place for the first few days,” pNetwork said in a follow-up post. “This means slower transactions processing in exchange for higher security.”
The platform says it will provide a $1.5 million bug bounty to the hacker, should they return the funds.
“To the black hat hacker. Although this is a long shot, we’re offering a clean $1,500,000 bounty if funds are returned,” pNetwork tweeted. “Finding vulnerabilities is part of the game unfortunately, but we all want [the] DeFi ecosystem to continue growing, returning funds is a step in that direction.”
The pBTC tokens represent an equal value of bitcoin for transactions that run on the platform’s smart contracts. PNetwork supports several blockchains – including Binance Smart Chain, Ethereum, EOS, Polygon, Telos, xDAI and Ultra – and its wrapped tokens enable assets to “cross” them.
“To pTokens users. We are really sorry about what happened,” the protocol noted in the same thread.
‘Prioritizing Security’
Although technical details have not been disclosed, pNetwork says the threat actor targeted the Binance Smart Chain and that it aims to fully restore services as soon as possible.
“We want to assure everyone that we are prioritizing security over speed,” the protocol added on its social media thread.
“A detailed post-mortem will follow,” pNetwork said. “Bridges are being extensively reviewed for that and similar exploits.”
On Monday, pNetwork said that its EOS and Telos bridges had been restored and “running with extra security measures in place for the first few days.”
PNetwork added, “We appreciate the support we have received so far. Please bear w/ us during this difficult time. We’ll all come back stronger.”
As of this writing, the price of pNetwork’s PNT token was $0.92, a drop of more than 17% over the past day, according to CoinMarketCap.
Commenting on the pNetwork incident, blockchain expert David Gerard, author of the book “Attack of the 50 Foot Blockchain,” tells Information Security Media Group, “DeFi apps are correctly viewed as a piñata written in [smart contract programming language] Solidity.
“Smart contract programming is very brittle, and done with time to market as the most important business consideration,” Gerard adds. “This means it’s going to be sloppy and vulnerable. Auditing exists, but is of varying quality. … I predict this will keep happening – because it’s happened since DeFi became popular.”
SushiSwap Incident
In another crypto-based incident Friday, a platform on the decentralized exchange SushiSwap was taken for $3 million in ethereum following a suspected supply chain attack. But the funds were ultimately returned to the contract, its chief technology officer later confirmed.
According to since-deleted tweets – now archived by Ars Technica – SushiSwap CTO Joseph Delong said Friday that a Minimal Initial SushiSwap Offering, or MISO, platform was targeted in an attack that altered one of its auctions.
The community-based SushiSwap offers financial services to users in one decentralized channel, and its launchpad allows them to introduce new tokens.
Delong said last week that the company suspected that a contractor with the GitHub handle “Aristok3” had gained illicit access to the auction, allegedly injecting malicious code that rerouted funds from the “Jay Pegs Auto Mart” token auction, to a personal ethereum address. The threat actor lifted 864.8 ethereum, but no other auctions were affected, according to the Ars Technica report.
The Jay Pegs Auto Mart auction enabled users to buy a non-fungible token, or NFT, which represents ownership of a tangible item, for a 2007 Kia Sedona.
Delong said in the now-deleted thread, “The attacker inserted their own wallet address to replace the ‘auctionWallet’ at [its] creation,” and that affected areas have been patched.
In a still-visible post from Friday, Delong confirmed, “All funds returned.”
According to CryptoSlate, the CTO reportedly threatened legal action if the funds were not returned, although hours later Etherscan data showed funds moving back to the original contract.
It remains unclear who was responsible for the heist, although one social media user threatened to release some of the platform’s code if SushiSwap did not offer an apology.
Other Recent Incidents
Cryptocurrency security issues have, of course, continued to grab headlines in recent weeks.
Japan-based cryptocurrency exchange, Liquid suffered a cyberattack that led to the loss of $97 million. And decentralized finance platform Poly Network, a protocol of Chinese blockchain project Neo, had $612 million siphoned from its channel in a now-infamous heist in which the hacker, dubbed “Mr. White Hat,” incrementally returned the funds over the course of a week – after being offered a security advisory role with the project (see: Financial Execs Say Security a Top Cryptocurrency Barrier).