A thief with the least technical content destroyed the most yield protocol
Authur：Wu Zhuocheng From WuBlockchain
On October 30, 139 million dollars was stolen from a Chinese yield protocol called BXH. The security incident occurred on BSC, and according to an official statement, the assets on Ethereum, OEC and Heco were not affected, but all external services on the chain were shut down for security reasons.
After the incident, according to the analysis of the blockchain security agency SlowMist Technology, the hacker deployed the attack contract 0x8877 at 13 o'clock on the 27th (UTC), then at 8 o'clock on the 29th (UTC) the BXH project management wallet address 0x5614 gave the attack contract 0x8877 administrative privileges via grantRole. At 3 o'clock on the 30th (UTC), the attacker transferred his managed assets from the BXH strategy pool fund library through the authority of the attack contract 0x8877. Therefore, BXH was stolen this time due to a malicious modification of its administrative privileges, which led the attacker to use this privilege to transfer project assets. Currently, 4000 ETH in the hacker's initial address (0x48c94305bddfd80c6f4076963866d968cac27d79) has been transferred from BSC to ETH, and 300 BTCB converted to renBTC has been transferred to the new address (1Jw.. .9oU and 1Fr. .Vow).
As soon as the case came out, public opinion was in an uproar. Since BXH has the same initials as "stupid kid"(BenXiaoHai in Chinese), the playful name is now widely circulated in the Chinese community. Some people can't figure out why BXH can hand over the authority of fund management to hackers, and some people questioned it was an inside job, and even a series of black history of the founder have been uncovered. Wang Xiaobin, founder of the BXH, has negative behaviors when he started his own business in the Internet industry, such as product delay without delivery, company bankruptcy, and restriction on consumption due to salary arrears. At present, the official has not made much response to public opinion, saying only that the private key was leaked, and issued a $1 million bounty to solicit white hats to recover the money.
Interestingly, the storm did not end there, as BXH has shut down its withdrawal function. Vaults, which rely on it to generate revenue, have also been forced to shut down its withdrawal function. At present, four vaults have been implicated, and the first one to bear the brunt is Coinwind, which has the second high TVL on Heco. The team said it was doing its best to follow up on the recovery of the stolen assets from BXH, the losses situation, the opening time for deposit and withdrawal and the processing progress of the asset withdrawal plan.
In addition, since Coinwind is the second largest vault in terms of TVL on Heco, other smaller vaults will directly choose the "lazy operation" of locking their funds in Coinwind and amplifying gains through leverage. This kind of vault is naturally not immune. The problems reflected behind this phenomenon are worth pondering.
Currently, vault's profit model is to constantly look for various high-yield lending protocols, then frequently deposit and borrow money to earn platform token, and finally enlarge the leverage multiplier through boost and present the investors with an exaggerated rate of return in this "building Lego" method. Of course, this approach magnifies the return, but also magnifies the risk. The loss of principal on any level may cause the entire Lego to collapse.
Therefore, every step of vault's operation and the destination of every fund should be made public at all times, just like public offering funds disclose their holdings, so that investors can make their own choices. Take Yearn as an example, the investment strategy and fund destination of each fund pool in vault need to be discussed and voted by DAO members, and finally the strategy is announced. If users are not satisfied with the investment strategy of a pool, they can choose not to invest. Many other vaults do a poor job of being open and transparent, especially the Chinese vaults, which operate completely behind closed doors. In this case, some users were dissatisfied with CoinWind's investment in the controversial BXH, saying that they would not have deposited their assets with CoinWind if they had known about it in advance. However, CoinWind's response was that they had done due diligence on BXH. There were no problems with BXH's audit report, and it was basically a real-name project. The attack on BXH this time was due to the theft of the private keys, which was an irresistible risk as far as CoinWind was concerned.
There are hundreds of different types of vaults using different strategies with different risk profiles. In general, there are three strategies of vaults.
Lower risk – Simple strategy – single asset staking vaults (ie stablecoins)
Middle risk – Simple strategy – LP token with auto compounding of the farming rewards
Highest risk – Advanced strategy – Multi-layered strategies that use multiple farms and protocols.
Yearn and other high yield protocol, including Coinwind, is the third strategy. Typically, single asset vaults have a lower risk of impermanent loss than vaults that require liquidity pool tokens as a deposit asset.
Another risk to consider is the smart contract risk, as vaults typically use multiple protocols in their more advanced strategies. Everytime a new protocol is included in a strategy it introduces another layer of risk for hacks or bugs. If there is an issue with any of them it can affect the entire vault.
For hackers, techniques should also become more sophisticated. There is really no technical content in this case, since Instead of cracking complex smart contracts, the attack simply stole private keys. Ironically, such a simple operation destroyed the most Chinese yield protocols.