Avacash.Finance exploit: 640 AVAX stolen post mortem.
Dear Avacash.Finance Community.
First of all, we thank the Avacash.Finance community for all the support through this process. We are proud of our strong community.
On December 10th 2021, a community member alerted the team that he/she was not able to execute a withdrawal action on the Avacash.Finance platform. As soon as the message arrived, our team checked our systems and smart contracts, finding out that the 10 AVAX and 100 AVAX anonymity pools where drained by an attacker.
Avacash.Finance has been live since September 10th, allowing to anonymize up to 3730 AVAX in 3 months. The team is really confident on the project, and we still believe that Avacash.Finance is and will continue to be a major actor in the Avalanche Ecosystem. Investments should be private and secure. However, smart contracts do not come without risk.
In this article we explain you exactly what happened and what will be the next steps to compensate our community and continue further.
NOTE: The $CASH token launching date won’t change. It is still on December 20th 2021. This incident won’t let us down.
Starting on Dec-08–2021 03:53:22 PM +UTC, an attacker created several smart contracts and executed several transactions in order to steal 500 AVAX from the 100 AVAX Anonymity Pool, and to steal 140 AVAX from the 10 AVAX Anonymity Pool.
As a summary, for each pool, the attacker:
- Used the flashloan feature to borrow the same amount of the pool denomination (ex. 100 AVAX)
(Example of the first attack: https://snowtrace.io/address/0x35497a871810cb56b65b093723c21eebeda21572)
- While performing the flashloan, the attacker made a deposit of the same amount (ex. 10 AVAX). This made the Flashloan provider pass the security checks (initial balance = final balance)
- In a second transaction the attacker made a withdrawal using its secret note of the deposit made in step 2.
For every repetition of steps 1, 2 and 3, the attacker was able to steal the Anonymity Pool denomination (ex. 100 AVAX)
The attacker repeated this 5 times on the 100 AVAX Anonymity Pool, stealing 500 AVAX from that pool; and 14 times on the 10 AVAX Anonymity Pool. The total amount of affected assets was 640 AVAX:
Finally, the attacker sold those AVAX for roughly $57,409 USDT.e on Pangolin, and moved them using the Avalanche-Ethereum bridge to his/her Ethereum account, and finally sent it into Binance.
AVAX to USDT.e Swap transaction:
Note: The attacker swapped 740 AVAX, however only 640 where from Avacash.Finance pools.
Avalanche-Ethereum bridge UDT.e transaction:
How was this possible?
This attack was possible due to a typical action called “reentrancy attack”. Avacash.Finance’s flashloan features where protected by this types of attack using a “reentrancy guard” or “reentrancy lock”. However, the team mistake was not to include this lock/guard on the deposit/withdrawal functions of the anonymity pools because the team did not want to change the original TornadoCash code.
As a the team, we are very sorry for this mistake, and because we believe in the Avacash.Finance project and roadmap, we are commited to do a recovery assets mission and to execute a compensation program.
Recovery assets mission.
The attacker was very smart to identify the attack vector. However he/she left a lot of traces, specially while cashing out.
After the attacker moved the assets into Ethereum, he/she sent the stolen USDT to the Binance Exchange, using the following Binance “temporal address”: https://etherscan.io/address/0x6cd62342f66c78b98ee7e7c22197b44f7f5050aa
It is possible to see that the same address is used in several blockchains, specially in BSC, where its very likely that the attacker also uses this address:
We are asking the community to help us contact the attacker in order to refund the stolen assets. If you manage to make the attacker give back the funds you can keep the 10% (USD$ 5,700)
We believe in Avacash.Finance, and we are committed to continue our mission. Hence, we think that is fair that our affected users are compensated in the best way.
The Avacash.Finance team will create a Compensation program in the next weeks. Please be patient, the date will depend on how the recovery assets mission goes.
Who will be eligible?
Everyone who holds an unspent note of the 10 or 100 AVAX Anonymity Pool is eligible to participate in the compensation program. Be aware that the team is not able to check/verify/know the affected users addresses. The team will program an special smart contract, where you’ll need to sign with a proof made by your note (as for an anonymous withdrawal). Please keep your notes and don’t share them with anyone. The team won’t ask for the notes.
How will I be compensated?
The different options are:
- If the recovery assets mission works, we will refund your stolen assets.
- Compensate with $CASH tokens (and hence, change a bit the token distribution percentages), if this is the case, this will be announced before the token launching date (before December 20th).
- A combination of option 1 and 2.
Our focus is still the same: to achieve #Privacy, with good #Investments in a #Decentralized way. We are proud of our supportive and strong community and this issue won’t let us down.
The $CASH token launching is still on December 20th.
For now, the Anonymizing service is paused. Meanwhile, the protocol is going to be fixed and audited, in order to be re-launched soon. This will allow $CASH holders to earn returns without compromising anonymity and security.
We will continue the road to a Community-driven protocol, managed through governance by the $CASH token holders. Then, using the $CASH token, Avacash.Finance will be alive for ever as a Decentralized Autonomous Organization. Check our roadmap!
We have long term goals, and Avacash.Finance will continue to build and innovate. We will learn from this exploit and use it as an opportunity to further strengthen the Avacash.Finance protocol. While this is certainly a setback, we remain driven in our mission to bring private investments, fulfilling the financial needs of individuals.
The Avacash.Finance Team