On November 2, the Axion Community launched its new token, generally known as AXN. The mission touted the asset as a brand new funding automobile, claiming that it will be probably the most worthwhile blockchain of its variety up to now. Through the interim lead as much as AXN’s airdrop, 5 separate groups allegedly examined the token’s code; trade darlings akin to CertiK and Hacken have been amongst those that performed the audits.
A couple of quick hours after the protocol’s freeclaim occasion, nonetheless, it turned clear that one thing had gone awry. An unauthorized actor unexpectedly minted 79 billion AXN and unloaded them in the marketplace. The value collapsed in extra of 99%, netting the attackers a cool 1300 ETH — value an estimated $500Ok at time of publication.
Within the hours that adopted, the workforce behind the Axion mission inspired members avoid trading or interacting with the asset, stating through the platform’s official telegram channel:
“Don’t purchase AXN proper now, don’t work together with the dashboard,”
The Axion Community’s Twitter account continued to publish updates, together with that:
We’re nonetheless right here.
All of the AXN/HEX2T individuals have been holding on the time of the exploit will likely be credited.
We’ll launch a liquidity reward portal to construct the liquidity again up as nicely.
We’re working arduous to relaunch AXN as quickly as potential.
— Axion (@axion_network) November 2, 2020
Regardless of these reassurances, CertiK is stepping ahead to supply the group a clearer rationalization of what they understand to have gone improper, and insights into how related assaults may very well be prevented in future. Cointelegraph reached out through e-mail to “Jack Durden” who was described to us because the CEO of the Axion Community, however acquired no instant response. No workforce members are listed within the mission’s white paper or on the web site, and the identify “Jack Durden” is shared with the unseen narrator from the film Struggle Membership.
Word that the rest of this text is reproduced word-for-word, courtesy of CertiK, as a public service to coach readers on the audit workforce’s understanding of what occurred. Cointelegraph has not audited the code and the views acknowledged hereafter are subsequently completely these of CertiK.
CertiK workers report on the Axion worth crash
On the 2nd of November 2020 at approximately 11:00 AM +UTC a hacker managed to mint round ~80 billion AXN tokens by using the unstake perform of the Axion Staking contract.
The hacker proceeded to then dump the tokens on the AXN Uniswap trade for Ether, repeating this course of till the Uniswap trade was drained and the token worth was pushed to 0.
We have been knowledgeable of the incident inside a couple of minutes of the assault occuring and our safety analysts started assessing the scenario instantly.
We now have concluded that the assault was seemingly deliberate from the within, involving an injection of malicious code on the time the code was deployed by altering code from OpenZeppelin dependencies.
The exploited perform was not a part of the audit we performed because it was added after becoming a member of collectively Axion’s code with OpenZeppelin’s code through “flattening” and injecting it inside OpenZeppelin’s code previous to deployment.
The hacker used nameless funds procured from tornado.cash the day before the hack occured, hinting at a pre-meditated assault. Presumably to avoid wasting funds in case the assault fails, 2.1 Ether have been re-circulated in twister.money proper after the account acquired the funds.
To finalize the assault setup, the hacker bought round ~700k HEX2T tokens from the Uniswap trade. Nevertheless, these funds have been in the end not a part of the assault and served as a smokescreen close to how the assault unfolded.
The hacker started their method in direction of actuating their assault by creating an “empty” stake on the Staking contract of the Axion Community by invoking the stake perform with a Zero quantity and 1 day stake length at approximately 09:00 AM +UTC. This created a Session entry for the attacker with a Zero quantity and Zero shares worth at session ID 6.
Afterwards, the attacker pre-approved an infinite quantity of AXN to the Uniswap trade in anticipation of their assault succeeding. Consequently, they authorized the NativeSwap contract of Axion for the quantity of funds they meant to transform to AXN tokens.
They invoked the deposit perform of the NativeSwap contract at approximately 10:00 AM +UTC, nonetheless the hacker by no means referred to as the withdraw perform of the contract to assert his swapped AXN as evident on the NativeSwap contract’s swapTokenBalanceOf perform. Afterwards, they made another failed deposit perform name earlier than executing the assault.
These transactions have been merely smokescreens for a way the unstake assault was truly carried out. Because the transactions that the attacker performed resulted in no change to the sessionDataOf mapping, we concluded that this was a multi-address assault.
We investigated the supply code of the contract’s on the GitHub repository that had been shared with us to establish a flaw that will trigger the sessionDataOf mapping to be affected.
We have been unable to detect any assignments to it or members of it outdoors the stake capabilities which prompted us to query whether or not the deployment of the contracts was performed correctly.
After analyzing the supply code of the deployed Staking contract, we pinpointed a code injection within the AccessControl OpenZeppelin library between L665-L671 of the deployed source code of the Staking contract. The linked checkRole perform shouldn’t be a part of the OpenZeppelin v3.0.1 implementation, which was listed as a dependency within the mission’s GitHub repository.
Throughout the checkRole perform, the next meeting block exists:
This explicit perform permits a selected tackle to conduct an arbitrary write to the contract based mostly on the enter variables it dietary supplements through low-level calls. Annotated, the meeting block would appear to be this:
This perform was injected at deployment because it doesn’t exist within the OpenZeppelin AccessControl implementation, which means that the members of the Axion Community that have been concerned with deploying the token acted maliciously.
The assault utilized code that was intentionally injected previous to the protocol’s deployment. This incident bears no relation to the audits performed by CertiK and the celebration accountable for the assault was an individual that gave the impression to be concerned with the deployment of the Axion Community contracts.
As a further diploma of safety, audit studies ought to standardise to incorporate deployed sensible contract addresses whose supply code has been verified to be the identical because the one which was audited.
The Security Oracle serves as an on-chain relayer of safety intelligence, conducting safety checks which embody the verification of deployed sensible contracts to match the audited variations.