Open in app

Sign in

Write

Sign in

Avacash.Finance exploit: 640 AVAX stolen post mortem.

Avacash.Finance
4 min readDec 12, 2021

--

Dear Avacash.Finance Community.

First of all, we thank the Avacash.Finance community for all the support through this process. We are proud of our strong community.

On December 10th 2021, a community member alerted the team that he/she was not able to execute a withdrawal action on the Avacash.Finance platform. As soon as the message arrived, our team checked our systems and smart contracts, finding out that the 10 AVAX and 100 AVAX anonymity pools where drained by an attacker.

Avacash.Finance has been live since September 10th, allowing to anonymize up to 3730 AVAX in 3 months. The team is really confident on the project, and we still believe that Avacash.Finance is and will continue to be a major actor in the Avalanche Ecosystem. Investments should be private and secure. However, smart contracts do not come without risk.

In this article we explain you exactly what happened and what will be the next steps to compensate our community and continue further.

NOTE: The $CASH token launching date won’t change. It is still on December 20th 2021. This incident won’t let us down.

What happened?

Starting on Dec-08–2021 03:53:22 PM +UTC, an attacker created several smart contracts and executed several transactions in order to steal 500 AVAX from the 100 AVAX Anonymity Pool, and to steal 140 AVAX from the 10 AVAX Anonymity Pool.

As a summary, for each pool, the attacker:

  1. Used the flashloan feature to borrow the same amount of the pool denomination (ex. 100 AVAX)
    (Example of the first attack: https://snowtrace.io/address/0x35497a871810cb56b65b093723c21eebeda21572)
  2. While performing the flashloan, the attacker made a deposit of the same amount (ex. 10 AVAX). This made the Flashloan provider pass the security checks (initial balance = final balance)
  3. In a second transaction the attacker made a withdrawal using its secret note of the deposit made in step 2.

For every repetition of steps 1, 2 and 3, the attacker was able to steal the Anonymity Pool denomination (ex. 100 AVAX)

The attacker repeated this 5 times on the 100 AVAX Anonymity Pool, stealing 500 AVAX from that pool; and 14 times on the 10 AVAX Anonymity Pool. The total amount of affected assets was 640 AVAX:

Finally, the attacker sold those AVAX for roughly $57,409 USDT.e on Pangolin, and moved them using the Avalanche-Ethereum bridge to his/her Ethereum account, and finally sent it into Binance.

Attacker address:
https://snowtrace.io/address/0x528277e9ec668493a80e972159b24b67a013722b

AVAX to USDT.e Swap transaction:
https://snowtrace.io/tx/0x5e402e20c7f93cf74211d0c9619eddad2182337891dd0698f3254b454000a19c
Note: The attacker swapped 740 AVAX, however only 640 where from Avacash.Finance pools.

Avalanche-Ethereum bridge UDT.e transaction:
https://snowtrace.io/tx/0x7ccbefef9ba4b955efac05f274f1b1ffafb7360edbaf4044f27729becad5b0cf

How was this possible?

This attack was possible due to a typical action called “reentrancy attack”. Avacash.Finance’s flashloan features where protected by this types of attack using a “reentrancy guard” or “reentrancy lock”. However, the team mistake was not to include this lock/guard on the deposit/withdrawal functions of the anonymity pools because the team did not want to change the original TornadoCash code.

As a the team, we are very sorry for this mistake, and because we believe in the Avacash.Finance project and roadmap, we are commited to do a recovery assets mission and to execute a compensation program.

Recovery assets mission.

The attacker was very smart to identify the attack vector. However he/she left a lot of traces, specially while cashing out.

After the attacker moved the assets into Ethereum, he/she sent the stolen USDT to the Binance Exchange, using the following Binance “temporal address”: https://etherscan.io/address/0x6cd62342f66c78b98ee7e7c22197b44f7f5050aa

It is possible to see that the same address is used in several blockchains, specially in BSC, where its very likely that the attacker also uses this address:
https://bscscan.com/address/0x820aa1acb00df383c0fa40e7e8deace46cfb5e1b

We are asking the community to help us contact the attacker in order to refund the stolen assets. If you manage to make the attacker give back the funds you can keep the 10% (USD$ 5,700)

Post-Exploit Compensation.

We believe in Avacash.Finance, and we are committed to continue our mission. Hence, we think that is fair that our affected users are compensated in the best way.
The Avacash.Finance team will create a Compensation program in the next weeks. Please be patient, the date will depend on how the recovery assets mission goes.

Who will be eligible?

Everyone who holds an unspent note of the 10 or 100 AVAX Anonymity Pool is eligible to participate in the compensation program. Be aware that the team is not able to check/verify/know the affected users addresses. The team will program an special smart contract, where you’ll need to sign with a proof made by your note (as for an anonymous withdrawal). Please keep your notes and don’t share them with anyone. The team won’t ask for the notes.

How will I be compensated?

The different options are:

  1. If the recovery assets mission works, we will refund your stolen assets.
  2. Compensate with $CASH tokens (and hence, change a bit the token distribution percentages), if this is the case, this will be announced before the token launching date (before December 20th).
  3. A combination of option 1 and 2.

The Future

Our focus is still the same: to achieve #Privacy, with good #Investments in a #Decentralized way. We are proud of our supportive and strong community and this issue won’t let us down.

The $CASH token launching is still on December 20th.

For now, the Anonymizing service is paused. Meanwhile, the protocol is going to be fixed and audited, in order to be re-launched soon. This will allow $CASH holders to earn returns without compromising anonymity and security.

We will continue the road to a Community-driven protocol, managed through governance by the $CASH token holders. Then, using the $CASH token, Avacash.Finance will be alive for ever as a Decentralized Autonomous Organization. Check our roadmap!

We have long term goals, and Avacash.Finance will continue to build and innovate. We will learn from this exploit and use it as an opportunity to further strengthen the Avacash.Finance protocol. While this is certainly a setback, we remain driven in our mission to bring private investments, fulfilling the financial needs of individuals.

Sincerely,
The Avacash.Finance Team

--

--

Avacash.Finance
Avacash.Finance

Written by Avacash.Finance

332 Followers
4 Following

Did you know that your entire Avalanche transaction history is public by default? Avacash.Finance invest your assets in DeFi protocols with 100% anonymity!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams