Exploits regularly plague the blockchain industry and DeFi protocols like never before. Almost every day that goes by is another horror story about a well-known protocol being drained by hackers through an exploit that could have been caught in advance. Even worse is the impact the news could have on the affected cryptocurrency community, which could crash in value and lose valuable support.
This is exactly why a critical vulnerability and an anonymous white hat tipter recently captivated the crypto community and sparked a widespread public inquiry on Twitter among top blockchain developers. But who exactly was behind the discovery that saved the cryptocurrency industry over $650 million in total value?
Here are the details of the incident and how it sparked a widespread search for the blockchain security audit firm behind the discovery. We will also reveal exactly who the heroes are.
Why Crypto Twitter Launched an Investigation of an Anonymous Tipster
Emerging technologies are subject to rigorous stress testing using the public as beta testers. While more often than not the development team has the purest of intentions, even the tiniest vulnerability can be exploited, leaving no stone unturned when it comes to clean and secure code.
Yet it is impossible to read the headlines of crypto media without encountering story after story of millions of dollars lost in moments. Affected projects may struggle to recover, and the community suffers as a result. Developers are usually stuck delivering the bad news to the community about exactly what happened and why, then begrudgingly receive the backlash and fallout.
But a recent example that was trending on Twitter was one of the rare happy endings that has captured the heart of the crypto community. An anonymous tipster has saved several top crypto protocols — such as Avalanche (AVAX), Abracadabra (MIM), SushiSwap (SUSHI), and others — as much as half a billion dollars in value.
White Hat Discovery Leads to Over $650 Million in Cryptocurrency Savings
Estimated damage and potential casualties include Avalanche at approximately $350 million; Abracadabra for approximately $300 million in MIM tokens and an additional $3 million in user funds; Nereus Finance with nearly $60 million worth of NXUSD tokens; and about $100K in funds from SUSHI loans. There is also an unknown impact regarding the Boba network.
Given the massive amount of money kept safe, developers of the affected protocols took to Twitter to track down the anonymous tipster who sent their discovery to ImmuneFi. It started with SushiSwap core developer Matthew Lilley tweeting about the topic and getting the research trending.
Kashi Markets on Avalanche were hacked after the discovery of an attack vector introduced by the Native Asset Call precompile on Avalanche. Sushi team was able to validate the report, which was submitted by a whitehacker on @immune, by creating a simple PoC. 1/6
— I’m Software 🦇🔊 (@MatthewLilley) September 8, 2022
In the hours that followed, a domino effect from developers began to emerge, exposing the vulnerability and working on an immediate fix.
We have been notified of a potential vulnerability on our Avalanche boilers.
No user funds were lost, the vulnerability has now been patched and all collateral is secured.
📖 Read more about our autopsy here👇🏻https://t.co/2HSvPkugEs
— ️ (@MIM_Spell) September 8, 2022
Avalanche, Abracadabra and others come forward with the humble hero
It wasn’t until today when Patrick O’Grady, chief of engineering at Ava Labs, took to Twitter to express his gratitude to Statemind, which later emerged as the blockchain security firm to discover the vulnerability at scale.
👀👀@statemindio emerged as the anonymous whitehat who tipped off the teams involved: https://t.co/MmG4hkkad7
Thanks again for all your work to let the community know about the issue!
— Patrick “The Crane” O’Grady 🔺 (@_patrickogrady) September 8, 2022
The official Abracadabra Twitter account also expressed deep thanks for drawing attention to the critical vulnerability and for saving the crypto community from yet another horror story.
We would like to thank the accounting firm @statemindio for reporting the vulnerability mentioned in our latest announcement.
Thanks to their report, we managed to secure all funds and cooperate with @valancheavax to patch the vulnerability!🔥
— ️ (@MIM_Spell) September 8, 2022
The vulnerabilities were fixed in record time. Both Avalanche and Abracadabra have shared a post mortem on the situation. Other affected blockchains are likely to follow suit and provide transparency to the community at large.
Who is the team behind the White Hat Heroics?
Who exactly is the team behind the discovery? We hooked up with a blogger who also works with the company to find out more.
savings of $3 million in user funds and 300 million $MIM Coins
if you are a cryptojournalist looking for comments/exclusive details of the team that found the exploit let me know 🙂 https://t.co/3B8axWjYqS
— notEezzy 🧸 (@notEezzy) September 8, 2022
Blockchain security audit firm Statemind has reviewed the code of ten top blockchain protocols looking for custom precompilations that could be potentially dangerous. Past experience, the blockchain audit firm explained, has shown that custom precompilations in the right environment can become increasingly dangerous.
According to the research, Avalanche and others had a precompilation “that allowed routing random calls through the precompilation that forwarded msg.sender.” For some protocols, that meant anyone could call on behalf of the protocol’s contract.
Statemind.io is a leading blockchain security auditing company with over 100,000 LoC of Solidity and Vyper experience. This extensive experience has resulted in more than $10 billion worth of TVL being secured and the company placed 14th in the Paradigm CTF 2022. Thanks to Statemind, all “funds are SAFU” and the cryptocurrency industry has a new white hat- hero.