On October 30, the multi-chain deployment of decentralized trading application (DEX) BXH was stolen, losing about $139 million worth of crypto assets, the security incident occurred in the BXH protocol on the BSC chain, according to the official statement of the application, Ethereum, OEC chain, Heco chain on the BXH protocol and assets were not affected, but for security reasons, all external services on the chain were closed.
After the accident, according to the analysis of the blockchain security agency Slow Fog Technology, before the theft, the BXH management wallet address had the operation of "giving the attack contract management authority", resulting in the attack contract transferring the assets under its management from the BXH policy pool treasury through the management permission, and some of the stolen funds were transferred across the chain.
As soon as the cause of the theft came out, public opinion was in an uproar, and BXH unfortunately reacted to its Chinese name "stupid child" in the form of a safety accident.
Some people can't figure out why BXH can "give up the money management authority to hackers", and some people question the application's self-theft, and the app's previous negative information from the Wang surname leader has been pulled out again. BXH's officials did not respond too much to the public opinion, saying only that the "private key was leaked" and released a $1 million bounty to solicit the white hat team to recover the funds.
Since BXH has turned off the application's charge and withdrawal function, Coinwind, a machine gun pool application that relies on the exchange's liquidity, has also turned off its charge and withdrawal function on multiple chains due to security checks, while another machine gun pool application, Earn DeFi, has turned off charge due to Coinwind's charge and withdrawal suspension.
DeFi income can be "nesting dolls", and "matryoshka dolls" reactions will also occur when safety accidents occur. As of press time, none of the above three apps has opened the charge and withdrawal function.
BXH's administrative authority was "hacked" and questioned
A day after the theft of crypto assets worth $139 million, on October 31, Beijing time, BXH announced on its official social media the remaining assets of its capital pool on the BSC chain, including USDT, USDC, BTC, ETH, BUSD, MDX, with a residual value of about $184 million.
The current residual value of BXH on the BSC chain is $184 million
BXH officials said that the withdrawal plan for the remaining assets will be issued after the third-party security joint team confirms the cause of the accident and the safety of the contract, as well as the preliminary problems of the police investigation, and issues an asset withdrawal announcement and other compensation plans.
According to previous public information, the decentralized trading application BXH was initially deployed on the Huobi Heco chain in March this year, and once swept the DeFi boom with the results of "attracting tens of thousands of users and 1.2 billion US dollars of TVL in just 10 days"; it was officially deployed on the BSC chain on July 30 this year, and then "built a website" on the Ethereum and OEC chains.
On October 25, before the incident, BXH just started the lending pool mining function on the BSC chain, and the result was an accident 5 days later.
Blockchain security agency, one of the auditors of BXH Slow Fog Technology has given a preliminary analysis after the incident, according to the intelligence of the agency, hackers deployed the attack contract 0x8877 at 13:00 (UTC) on the 27th; then at 08:00 on the 29th (UTC), BXH project management wallet address 0x5614 granted the attack contract 0x8877 management authority by grantIngRole; at 03:00 on the 30th (UTC), the attacker 0x8877 permission from BXH through the attack contract The strategy pool transferred assets under its management out of the treasury; the vault was suspended at 04:00 on the 30th (UTC) 0x5614. "Therefore, the theft of BXH is due to a malicious modification of its administrative privileges, causing the attackers to use this privilege to transfer project assets."
The tracking also began on October 30 after the incident, and Slow Mist Technology announced at 16:24 Beijing time on the same day that the initial profit address of the hacker on the BSC chain had transferred 4000 ETH from the BSC chain to the ETH chain, and then exchanged 300 BTCB for renBTC, spanning the chain to two addresses.
For example, according to the announcement after the BXH incident, the transfer chain of the stolen funds has been tracked by multiple security agencies, and the application has also issued a reward announcement of $1 million, planning to recruit the white hat team for fund recovery.
As soon as the "first diagnosis" of Slow Fog Technology came out, online public opinion and BXH users expressed their confusion, some people wondered why BXH's wallet management authority would be given to hackers, and some people questioned that the project side was self-theft. BXH is not currently responding to these public opinions, saying only that "private key leaks" have been made.
The official "private key leak" theory exposed the vulnerability of the transaction application in private key management. The KOL god fish in the DeFi field has a question, the private key "why not sign more, why not add a time lock". For such doubts, BXH has not yet given a reply to the public, pending a more detailed security analysis and review afterwards.
The media "Babbit" quoted the encryption asset depository service provider Security Heron as saying that the manager of the encrypted asset needs to pay more attention to the security risks brought about by single private key management, and should upgrade the Owner private key to multi-signature management as soon as possible to avoid the single point risk of private key. Multi-signature or MPC multi-signature can realize multi-signature management of Owner's private key.
It can be seen that although there are private key security risks, there are also skills to be used, and BXH, which is in charge of hundreds of millions of dollars of users' assets, has neglected its duty in private key management.
Two third-party machine gun pools shut down in a row
Although the accident occurred in the BSC version of BXH, the assets on Ethereum, OEC and Heco were not affected, but the application turned off its service functions on each chain for security reasons.
After BXH temporarily shut down the service, the dark side of the DeFi "matryoshka doll" effect also emerged, and CoinWind, a third-party machine gun pool application that relies on BXH's liquidity, also urgently shut down some of its recharge and withdrawal functions on BSC, Heco and Ethereum chains on October 30. As a result, the official announcement of another machine gun pool application, Earn DeFi, said that they also stopped charging because CoinWind suspended the charge.
The knock-on effect of BXH theft has left users of all three apps unable to currently remove assets stored in them.
Hive Finance landed on the CoinWind application and found that the application has indeed suspended the recharge and withdrawal function, and although the income is calculated normally, the principal and income cannot be withdrawn normally. The same goes for Earn DeFi.
Two machine gun pool applications are closed in succession
On October 31, CoinWind's announcement showed that because BXH closed the charge and withdrawal of all main chains, CoinWind could not retrieve part of the invested funds from BXH at present, so it suspended the charge and withdrawal of heco, BSC and ETH three main chains, and the relevant data could not be accurately calculated. The app said that if BXH opens Heco and ETH charging after determining that there is no risk, CoinWind will also be opened. At this stage, the local currency and income of CoinWind users of Heco and ETH main chains have not been affected, and the application is fully following up the recovery of the stolen assets of BXH in the BSC chain, the loss situation and the time of open charging and withdrawal, as well as the processing progress of the asset extraction plan.
After CoinWind suspended charging and withdrawal, Earn DeFi only issued an announcement through the small assistant in the user group, and the official website and the official announcement showed that due to CoinWind's emergency closure of the single-currency pledge and DAO charge on the three chains, Earn DeFi users' recharge and withdrawal in the ETH, BTC, USDT pool will be affected. The specific amount of funds affected, the announcement also did not say.
Judging from the announcements of both sides, one of the sources of investment and income for the application of CoinWind in the machine gun pool is BXH, while part of the income cultivation area of Earn DeFi is CoinWind, and as a result, the city gate is on fire, and the pond fish are damaged. The pool is the machine gun pool, and the fish are the users of these applications.
It should be noted that many details that are worth pondering also surfaced after the accident.
For example, the administrators of the CoinWind official community said that they have no relationship with Earn DeFi, the two sides have not cooperated, and they have never received the docking information of the other party to deposit coins, and the other party has not given the contract address of the interaction with CoinWind since the incident. Some CoinWind users believe that Earn DeFi is "throwing the pot", and users who are still using the app "have to be careful".
Earn DeFi also did not give more responses to each other's statements, but from its own announcement, Earn DeFi as a machine gun pool "parasitism" in another machine gun pool is somewhat lazy, under normal circumstances, the mining pool of trading applications should be the main source of high revenue for machine gun pools, the result of CoinWind off charge, Earn DeFi three mainstream single-coin pools have been affected.
For example, some users are dissatisfied with CoinWind's investment of assets in the controversial BXH, "I knew that I invested in BXH, and I would no longer deposit coins in CoinWind." Users have this sentiment because in July this year, BXH was deeply pickpocketed by a number of self-media "unreliable" behavior of the leading members, the leader of the application Wang Xiaobin was criticized for two consecutive years in the blockchain field "issuing coins, circle money", "10 projects are all air", and Wang Xiaobin had previously appeared in the Internet field when the product jumped tickets and did not ship, the company collapsed, and the old Lai was restricted from spending in the blockchain field.
Some CoinWind users believe that putting user assets into the team's controversial applications to earn revenue is already a precursor to risk.
CoinWind community administrators explained "why choose the BXH machine gun" that they did due diligence on BXH, including all other pools accessed will do research and evaluation, BXH's audit report has no problems, and it is basically a real-name project. "As a machine gun pool, our obligation is to choose a high-yielding and more reliable pool to invest, this time BXH was attacked due to the theft of private keys, which is indeed a human majeure factor in the case of CoinWind."
BXH theft requires a rethink of its own private key management, and for the machine gun pool, at least some user suggestions are worth considering for such revenue management applications, especially when each DeFi application is moving towards the DAO - openly and transparently informing users of the direction of capital allocation.
Do not use "confidentiality" as a perfunctory user, the allocation strategy may be a barrier to the survival and competition of the machine gun pool, but the announcement of which income farmland is allocated does not affect the specific implementation of the secret strategy, so that the user's right to know and the right to choose are satisfied in advance, is this not the spirit advocated by the blockchain?
Have you been affected by the BXH accident?