Cross-Channel Protocol pNetwork Gives Hacker $ 1.5 Million ‘Clean’ Bug Bounty
Dan Gunderman (dangun127) •
September 20, 2021
Stay tuned for updates on this developing story.
In the latest security incident involving a decentralized financial protocol, cross-chain project pNetwork announced on Sunday that it had been hacked for 277 pBTC, a form of wrapped bitcoin, with losses worth more than $ 12 million. dollars in present value.
In a series of tweets announcing the incident, pNetwork said, “We are sorry to inform the community that an attacker was able to exploit a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its guarantees). The other bridges were not affected. . All other funds in the pNetwork are safe. “
“The bridges will operate with additional safety measures in place for the first few days,” pNetwork said in a statement. monitoring station. “This means slower processing of transactions in exchange for higher security.”
The platform says it will provide a bounty of $ 1.5 million to the hacker, if he returns the funds.
“To the black hat hacker. Although this is a long plan, we are offering a net bonus of $ 1,500,000 if funds are returned,” pNetwork tweeted. “Finding vulnerabilities is unfortunately part of the game, but we all want to [the] The DeFi ecosystem continues to grow, the return of funds is a step in that direction. “
PBTC tokens represent an equal value of bitcoin for transactions executed on the platform’s smart contracts. PNetwork supports multiple blockchains – including Binance Smart Chain, Ethereum, EOS, Polygon, Telos, xDAI, and Ultra – and its encapsulated tokens allow assets to “cross” them.
“To pTokens users. We are very sorry for what happened,” the protocol noted in the same thread.
Although technical details were not disclosed, pNetwork claims that the threat actor has targeted the Binance Smart Chain and aims to fully restore services as soon as possible.
“We want to assure everyone that we prioritize safety over speed,” adds the protocol. his discussion thread on social networks.
“A detailed autopsy will follow”, pNetwork said. “Bridges are widely reviewed for this and similar feats.”
Monday, pNetwork said that its EOS and Telos bridges had been restored and “operated with additional security measures in place for the first few days.”
NetworkP added, “We appreciate the support we have received so far. Please bear with us during this difficult time. We will all come back stronger.”
At the time of this writing, the price of pNetwork’s PNT token was $ 0.92, down more than 17% over the past day, according to CoinMarketCap.
Commenting on the pNetwork incident, blockchain expert David Gerard, author of the book “The 50ft Blockchain Attack,” told Information Security Media Group: “DeFi applications are properly considered a piñata written in [smart contract programming language] Solidity.
“Smart contract programming is very fragile and time to market is the most important business consideration,” adds Gerard. “That means it will be sloppy and vulnerable. The audit exists, but is of varying quality.… I predict it will continue to happen – because it has happened since DeFi became popular.”
In another crypto-based incident on Friday, a platform on the decentralized exchange SushiSwap was taken for $ 3 million in Ethereum following an alleged supply chain attack. But the funds were eventually returned to the contract, its CTO later confirmed.
According to since-deleted tweets – now archived by Ars Technica – SushiSwap technical director Joseph Delong said on Friday that a SushiSwap minimum initial offering platform, or MISO, had been targeted in an attack that altered one of his auctions.
The community-based SushiSwap offers financial services to users in a decentralized channel and its launch pad allows them to introduce new tokens.
Delong said last week that the company suspected an entrepreneur with the GitHub handle “Aristok3” of gaining illicit access to the auction, allegedly injecting malicious code that allegedly redirected funds from the token auction. “Jay Pegs Auto Mart”, to a personal ethereum address. The threatening actor raised 864.8 ethereum, but no other auctions were affected, according to the Ars Technica report.
The Jay Pegs Auto Mart auction allowed users to purchase a non-fungible token, or NFT, which represents ownership of a tangible item, for a 2007 Kia Sedona.
Delong said in the now-deleted thread: “The attacker inserted his own wallet address to replace the ‘auctionWallet’ at [its] creation “, and that the affected areas have been corrected.
In a still visible Friday post, Delong confirmed: “All funds returned.”
According to CryptoSlate, the CTO would have threatened legal action if the funds were not returned, although a few hours later Etherscan data showed the funds were reverting to the original contract.
It’s still unclear who was responsible for the heist, although a social media user threatened to post some of the platform’s code if SushiSwap didn’t. to apologise.
Other recent incidents
Cryptocurrency security concerns have, of course, continued to grab the headlines in recent weeks.
A Japan-based cryptocurrency exchange, Liquid suffered a cyberattack that resulted in the loss of $ 97 million. And the decentralized financial platform Poly Network, a protocol for China’s Neo blockchain project, had $ 612 million siphoned off its chain in a now infamous heist in which the hacker, nicknamed “Mr. White Hat,” gradually returned the funds over the course of a week – after being offered a role of security advisor with the project (see: Financial Executives Say Security Is One Of The Main Barriers To Cryptocurrency).