An all-round restoration of a community-led “solved” DeFi heist

We took the money back from the running StableMagnet project.

Last week was an uneasy week for the DeFi world. Poly Network , decentralized annuity protocol Punk Protocol, BSC loan agreement Neko, NEAR ecological decentralized exchange Ref.Finance and other projects have been hacked successively. The amount of losses ranged from millions to hundreds of millions. Some of the attackers returned funds, and some hackers are still at large.

Perhaps as the hacker who stole $600 million in assets from the Poly Network said, there is no perfect system in this world, only vulnerabilities that we haven’t discovered yet. If a decentralized project is hacked due to code logic loopholes, it can still be considered a pain on the road of development, then the project itself is a naked crime for the purpose of embezzling assets.

Stablecoin DeFi project on BSC-StableMagnet

The story begins with StableMagnet, a DeFi project on Binance Smart Chain (BSC) .

The first half of the ether Place of performance bottlenecks caused by traffic spill in the case of DeFi hot, while currency backed security of the BSC with a good user base and chain experience a meteoric rise, quickly seize the market square in an Ethernet network expansion is not yet complete stage . However, the popularity of BSC has also attracted a large number of speculative project parties. They have deployed DeFi projects with liquid mining rewards to attract users to participate, which is the so-called “tugou”. These “earth dogs” did not intend to operate for a long time, but hoped to use the early high yield rate to attract some gamblers, raise the price of the project currency and then throw out the tokens reserved for the project party to complete the harvest.

It can be said that this type of project has a higher risk. You never know when the project will hit the market. What’s more, it premeditatedly used the reserved loopholes to steal investors’ assets and disappeared from there.

And StableMagnet is the latter.

According to the description of the victims of this project, StableMagnet was mentioned in BSC Daily and other publicity channels, which attracted the attention of some BSC users, but it did not cause a lot of splash in the general community. In most people’s opinion, this is probably It’s one of countless ordinary “Dog” projects. However, members of the community with code review capabilities came to a conclusion after inspecting the code of the project: the code of this project has no obvious loopholes, or at least the assets cannot be smoothly transferred from the contract even if the project party has subjective maliciousness .

Due to the belief that its code is safe and the APY is quite high, this project has spread among a small group of scientists. In order to further ensure the safety of the project, the project party even proactively set a contract time lock. See the project side to take further security measures, reviewed contracts for professional users who were more confidently invest more money, leading to the little-known project TVL in a few days time on the few Million dollars rose to 24 million dollars. But what everyone doesn’t know is that under the seemingly “no problem” appearance of this project, a conspiracy is brewing.

The biggest danger lurks in the most hidden corners

Although there is no loophole in the code logic of the project, this time the problem is not in the smart contract of the project itself, but in the underlying function library called by the smart contract . The project party has implanted a backdoor in the underlying function library SwapUtils Libra ry . Therefore, regardless of whether the smart contract code of the project itself is safe or time-locked, the project party can directly use the backdoor of the underlying function to transfer assets. Since the two DeFi projects Dopple and StableGaj are also developed based on the same protocol, their underlying function library SwapUtils Library is also unverified. The StableMagnet incident also exposed the security risks of these two projects.

An all-round restoration of a community-led "solved" DeFi heist

RugDoc’s comic about the StableMagnet incident

In the past, hacker attacks mostly took advantage of the smart contract logic loopholes in the project itself, which made it easy to overlook the inspection of the underlying function library. The unverified underlying function library can be passively manipulated. The project party took advantage of this.

In the early morning of June 23, Beijing time , the event officially kicked off.

While most investors in the East Eight District were still asleep, the project team transferred assets worth 24 million U.S. dollars through loopholes reserved in advance , and the project website, Twitter, and telegram group were all closed or disbanded. The project party even directly transferred part of the stolen BUSD and USDT to Binance Exchange and exchanged it for DAI before transferring it out.

More than 10 minutes after the project team implemented the action, Ogle and other community members have discovered the anomaly and started tracking the attack address. They also reported the stolen assets as soon as they were transferred to the Binance exchange, but Binance did not immediately take action. action. In the end, the project party successfully transferred DAI from the exchange.

It is worth mentioning that some well-known community members and DeFi security media have received anonymous information before the attack , saying that the SMAG (StableMagnet) project may run away, but because the identity and authenticity of the information cannot be confirmed, plus the core of the project There is no problem with the smart contract itself. Out of prudent consideration, the person who received the warning did not disclose this information in the community for the first time.

Community’s counterattack

Usually after the project is attacked, the project party will work with investors to find hackers or compensate for the losses. But the problem with StableMagnet is that the project team has stolen it . In order to save themselves, community members decided to do everything possible to search for and locate the project party. Thus, a mighty action against crime began.

Locate the project party

If you want to recover your assets, you must first find someone. According to community members, the core work responsible for searching the traces of the project party through technical means was mainly done by a KOL Ogle and his team in the DeFi field  , and this person was also one of the victims of the incident.

In the communication process, Ogle shared a special way for them to get clues- code habits . Community members said that every person who writes code inevitably has personal habits, and these habits will be very obvious in the way the code is written. Such traces are comparable to a person’s “handwriting.” Ogle found related projects on Github through certain features in the StableMagnet code, and finally determined that the project party was a team in Hong Kong through analysis of these related projects. The investigation team integrated other clues, and then found the company registered by the project members, and successfully found other relevant members through public information associated with the company.

At the same time, Binance ‘s investigation leads also point to the project party may be in Hong Kong. Upon learning of this news, the Hong Kong victim quickly reported the crime to the Hong Kong police. At the same time, the community investigation organization also obtained the contact information of the project team members and tried to communicate. But the team members ignored all contacts and refused to communicate and repay.

At this time, voices hoping to directly expose the identity of the project party appeared in the community. In addition to the core community investigation team that has their personal information, there are also independent anonymous organizations in the community that claim to “have permission” to say that they have their personal information. They want to publish their personal information directly, but they are discouraged by Ogle.

Since then, the core community investigation team has publicly called on the project team to get in touch with Ogle on numerous occasions. On the one hand, it is to promote a refund as soon as possible. On the other hand, it is to prevent their personal information from being exposed to uncontrollable consequences caused by impatient independent anonymous persons/organizations. But the project team members did not accept this “goodwill.”

Missed the best time, the project party absconded

Although the Hong Kong police has filed the case, perhaps because of procedural issues, the Hong Kong police did not accept the various evidences provided by the community. Since the project party has left traces on the Binance Exchange, Hong Kong hopes that Binance can provide relevant evidence. However, due to some reasons, the communication between the Hong Kong police and Binance has stalled. Community members have no law enforcement powers, and even if they have determined the identity of the project party, they cannot control them, so they can only wait for the police to proceed with the investigation of the case. The case was deadlocked for a while.

But perhaps the team members felt the pressure and understood that the community had roughly positioned their identity and location, so they fled to the UK in a hurry when the case was stagnant. But what awaits these team suspects is not the script of the case quelling due to the passage of time, but a new “encirclement and suppression.”

Arrested and brought to justice

When everyone was anxious about the progress of Hong Kong, the community investigation team discovered the latest whereabouts of project team members who fled to the UK. This has also become a turning point for the event. Following the reports of community members, the British police quickly opened the case and followed up by the crime team. Based on the information submitted by the community, the British police launched an investigation of the project members who fled to the UK. When things have reached this point, where the project team members are hiding in the UK has become a new issue facing the community investigation team and the British police.

According to the UK’s epidemic prevention policy, all travelers to the UK are required to self-quarantine and declare for 10 days. If the absconding project team members self-isolate as required, theoretically enough clues can be collected to trace their exact address. The bad news is that by the time investigating members and the British police intercept this clue, the isolation period for team members is likely to end.

Ogle and the community investigation team conducted speculative analysis on the addresses where team members may reside, and conducted a carpet search. In the end, the British police who obtained the intelligence successfully captured the members of the project team. The captured members of the project team carried a large number of suspicious encrypted electronic devices with them. These devices stored the stolen assets of investors. With the efforts of the British police, the arrested project team members finally chose to cooperate with the investigation and agreed to return the stolen money they carried.

So far, this up to more than a month , involving multiple countries or regions , involving up to $ 24 million DeFi fraud finally made significant progress.

Provocation and counterattack

But the matter is not completely over. The arrested members returned assets totaling approximately US$22.5 million , but claimed that some of their assets were missing. In addition, the whereabouts of some members are still unknown. What is even more strange is that when the arrested members were planning to refund, some of the assets worth hundreds of thousands of dollars were transferred. The assets finally received by the police happened to have the same amount of assets missing. The community suspects that it was the work of a fugitive project team member. If this is the case, it is tantamount to a provocation to the community and the police.

Under provocation, the impatient independent anonymous organization finally couldn’t bear it, and chose to directly expose their identities publicly, claiming that if the fugitives continue to refuse to communicate, they will publish more personal information. The core investigation team headed by Ogle has also been working hard to get in touch with the project party to recover all assets and appease the community.

An all-round restoration of a community-led "solved" DeFi heist

Suspect photo

Refund of stolen money

Refunds are the most concerned issue of all victims. The British police successfully recovered 91% of the stolen assets , and all assets will be returned to victims worldwide. It is worth mentioning that because users in some areas are not convenient to accept refunds in fiat currency, with the efforts and suggestions of community members, the British police adopted on- chain refunds and refunds in illegal currencies.

An all-round restoration of a community-led "solved" DeFi heist

News from the British Police

The victim needs to verify the ownership of the wallet through a small payment, and submit some local case registration information and KYC/AML information. After verification, a refund can be made. Although it is still difficult to implement such a scheme for domestic victims, it has provided as much convenience as possible for affected investors. For the 10% of funds that have not been recovered, the community is still working hard. Follow up with the British and international police, strive to return all the assets to the victims, and try their best to trace the fugitive project team members.

An all-round restoration of a community-led "solved" DeFi heist

British police mail to community members

Up to now, the British police have also noticed that it is difficult for victims in China to even file a case, and they are also considering further optimizing the refund process for victims in China.

An all-round restoration of a community-led "solved" DeFi heist


After interviewing community members and understanding the entire case, it can be found that the smooth solution of the StableMagnet case benefited from the efforts of community members and the full cooperation with the police . This may also be a good start and provide a typical case reference for similar incidents in the future.

At the end of the interview, when asked how to avoid such incidents in the future, Ogle said that in the CeDeFi field , it may be possible to add KYC requirements to the deployment of contracts in the future and be governed by a DAO or an organization. Of course, many people think this is not decentralized enough, and many crypto enthusiasts are not interested in it, but this method may be popular with participants in traditional finance and attract them to enter the market. This has nothing to do with right or wrong, it just depends on the choice. If you are in a completely decentralized world, in order to avoid encountering such incidents, it is recommended that participants do not blindly punch the mine, and can wait 3-6 weeks before participating. Although the initial excess returns are not obtained, certain risks are also avoided.

In addition, it is also recommended that investors choose more secure projects as much as possible in the selection of projects, such as real-name teams, verifiable code, launchpad (such as SAFERmoon) , and projects that have been audited by reliable security companies.

In the end, Ogle said that evil has its consequences, and he will make the evildoer pay the price. This is also the original intention of the community investigation team to thoroughly investigate this incident, which is to use this incident as a demonstration to warn all those who attempt to use the anonymity of the blockchain to do evil: “Even if you hide behind a computer screen, Take the consequences for your actions in the real world.”

Written by: Eric


Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-08-18 12:28
Next 2021-08-18 12:29

Related articles