2020-11-3 11:25 |
CertiK, a blockchain auditing outfit, has commented on yesterday’s Axion hack, revealing that the attacker exploited the project’s third-party dependencies. The auditors added that someone within the project likely carried out the attack.
Insiders Likely Led Axion AttackAccording to a HackMD article published by CertiK, the attack was “planned from the inside.”
Actors involved in the Axion project injected malicious code prior to Axion’s deployment by altering its OpenZeppelin dependencies. The injected code allowed the attacker to freely mint 80 billion AXN tokens.
Since the code was injected at the deployment stage, CertiK’s original audit of the code failed to prevent the attack.
Yvan Nasr, CertiK’s head of professional service, told Crypto Briefing that Axion likely “merged the code of the project with the right dependencies together and then manually inserted their malicious code in the OpenZeppelin dependency prior to deployment.”
Alex Papageorgiou, security engineer at CertiK, added that “the deployers were most likely Axion members, as whoever deployed the contracts could also set special owners roles … so they already were considered trusted”.
CertiK has not speculated on the precise identity of the attacker. However, it believes that the attack “could have only been done by those deploying the project.”
$27 Million of AXN StolenThe exploit against Axion allowed the unknown attacker to mint 80 billion AXN tokens, then sell those tokens on the Uniswap exchange. Prior to the attack, that amount was worth $27 million, though the token’s price has now collapsed to $0.
To prepare for the attack, the hacker circulated 2.1 ETH on Tornado.cash for privacy. The attacker also purchased 700,000 HEX2T tokens as part of a “smokescreen,” CertiK says.
Though the attack was sizable in terms of its dollar value, it is notable primarily because the hacker followed an unusual line of attack. It remains to be seen if hackers can imitate this line attack and carry it out against other blockchain projects.
Similar to Notcoin - Blum - Airdrops In 2024