Exploits have been regularly plaguing the blockchain industry and DeFi protocols like never before. Nearly each passing day there is another horror story of a well-known protocol being drained of funds by hackers through an exploit that could have been caught in advance. Even worse is the impact the news can have on the community of the impacted cryptocurrency, which can crash in value and lose valuable support.
This is exactly why a critical vulnerability and an anonymous white hat tipster captivated the crypto community recently and led to a widespread public investigation on Twitter between top blockchain developers. But who exactly was behind the discovery that saved the cryptocurrency industry a combined more than $350 million in value?
Here are the details of the incident and how it spiraled into a widespread search for the blockchain security auditing firm behind the discovery. We’ll also reveal exactly who the heroes are.
Why Crypto Twitter Launched An Investigation Into An Anonymous Tipster
Emerging technologies are put through rigorous stress tests using the public as the beta testers. Although more often than not the development team has the purest intentions, even the tiniest vulnerability can be exploited so no stones can be left unturned when it comes to clean and secure code.
Yet it is impossible to read crypto media headlines without stumbling upon story after story of millions of dollars lost in a matter of moments. Affected projects can struggle to recover, and the community suffers as a result. Developers are usually stuck delivering the bad news to the community about what exactly happened and why, and then reluctantly receiving the backlash and fallout.
But a recent example that was trending on Twitter was one of the rare happy endings that has captured the heart of the crypto community. An anonymous tipster saved several top crypto protocols — such as Avalanche (AVAX), Abracadabra (MIM), SushiSwap (SUSHI), and others — as much as $350M+ in value.
White Hat Discovery Leads To More Than $350M In Cryptocurrency Saved
Estimated damages and would-be victims include Avalanche at roughly $350M; Abracadabra at around $300M worth of MIM tokens and an additional $3M in user funds; Nereus Finance with nearly $60M in NXUSD tokens; and roughly $100K in funds from SUSHI lending. There is also an unknown impact related to the Boba Network.
Given the enormous amount of funds kept safe, developers of the affected protocols took to Twitter in search of the anonymous tipster who sent their discovery to ImmuneFi. It began with SushiSwap core dev Matthew Lilley, who tweeted on the topic and got the investigation trending.
Kashi Markets on Avalanche were whitehacked following the discovery of an attack vector introduced by the Native Asset Call precompile on Avalanche. Sushi team was able to validate the report, which was submitted by a whitehacker on @immunefi, by crafting a simple PoC. 1/6
— I'm Software 🦇🔊 (@MatthewLilley) September 8, 2022
In the hours following, a domino-effect of developers began to come forward and reveal the vulnerability and work on an immediate fix.
1/🧙🏼♂️!
We have been notified of a possible vulnerability on our Avalanche cauldrons.
No user funds have been lost, the vulnerability is now patched and all collateral has been secured.
📖 Read more about our post mortem here👇🏻https://t.co/2HSvPkugEs
— 🧙🏼♂️ (@MIM_Spell) September 8, 2022
Avalanche, Abracadabra, And Others Come Forward With The Humble Hero
It wasn’t until just today when Ava Labs Head of Engineering Patrick O’Grady took to Twitter to express thanks to Statemind, which later stepped forward as the blockchain security firm to discover the vulnerability widely.
👀👀@statemindio came forward as the anonymous whitehat who tipped off the teams involved: https://t.co/MmG4hkkad7
Thanks again for all your work to alert the community of the issue! 🫡
— Patrick O'Grady 🔺 (@_patrickogrady) September 8, 2022
The official Abracadabra Twitter account also expressed their deep thanks for calling attention to the critical vulnerability and saving the crypto community for yet another horror story.
🧙🏼♂️!
We would like to deeply thank the auditing firm @statemindio for reporting the vulnerability mentioned in our latest announcement. 🔮
Thanks to their report we have managed to secure all the funds and work together with @avalancheavax to patch the vulnerability!🔥
— 🧙🏼♂️ (@MIM_Spell) September 8, 2022
The vulnerabilities were fixed in record time. Both Avalanche and Abracadabra have shared a post mortem on the situation. Other affected blockchains are likely to follow and provide transparency to the community at large.
Who Is The Team Behind The White Hat Heroics?
Who exactly is the team behind the discovery? We were in touch with a blogger who also works with the company to learn more.
I know the anonymous hackers that disclosed the exploit to @avalancheavax @MIM_Spell & @SushiSwap
saving $3m in user funds and 300m $MIM tokens
if you’re a crypto journalist looking for comments/exclusive details from the team that found the exploit let me know :) https://t.co/3B8axWjYqS
— notEezzy 🧸 (@notEezzy) September 8, 2022
Blockchain security auditing firm Statemind reviewed the code of ten top blockchain protocols in search of custom precompiles that could be potentially dangerous. Past experiences, the blockchain auditing firm explained, has shown that custom precompiles can be increasingly dangerous in the right environment.
According to the research, Avalanche and others had a precompile “that allowed for arbitrary calls to be routed through the precompile that relay msg.sender.” For some protocols, that meant that anyone could make calls on behalf of the protocol’s contract.
Statemind.io is a leading blockchain security auditing company with over 100,000 LoC of Solidity and Vyper experience. This vast experience has led to more than $10B in TVL secured and the firm placed in 14th in the Paradigm CTF 2022. Thanks to Statemind, all “funds are SAFU,” and the cryptocurrency industry has a new white hat hero.