Skip to content

CertiK analyzed the incident with Axion Network and the subsequent drop in prices

November 3, 2020

November 2nd, Axion Network has launched its new token called AXN. The project touted the asset as a new investment vehicle, claiming it was the most profitable blockchain of its kind to date. During the time it took for the AXN air drop to take place, five separate teams reportedly investigated the token code. like the darlings of the industry CertiK and Hacken were involved in the audits.

But still, A few hours after the event, in order to get the log token for free, it was clear that something had gone wrong. An unauthorized actor unexpectedly coined AXN 79 billion and launched it. The price fell more than 99%, This resulted in the attackers generating a whopping 1,300 ETH revenue, which is roughly $ 500,000 at the time of this writing.

In the hours after that The team behind the Axion project encouraged participants to stay away from trading or any interaction with the asset. Explanation via the platform’s official telegram channel:

“Don’t buy an AXN now, don’t interact with the board.”

CertiK analyzed the incident with Axion Network and the subsequent drop in prices
CertiK analyzed the incident with Axion Network and the subsequent drop in prices

The Axion Network Twitter account continued to post updates. including this:

Despite these guarantees CertiK is stepping up to provide the community with a clearer explanation of the bugs and an idea of ​​how similar attacks could be prevented in the future. Cointelegraph contacted by email “Jack Durden”, who was described to us as that CEO of Axion Network, However, we did not receive an immediate response. No team member appears in the project white paper or on the website. and the name “Jack Durden” is the same as the invisible narrator of the film The fighting club.

Note that the rest of this article is written word for word courtesy of CertiK as a public service to help educate readers of the understanding of the audit team. Cointelegraph has not reviewed the code and therefore the views expressed below are those of CertiK only.

CertiK Staff Report Axion Price Reduction

On November 2nd, 2020, at approximately 11:00 a.m. + UTC, A hacker was able to mint around 80 billion AXN tokens using the unstake function of the Axion staking contract.

The hacker issued the AXN tokens for ether on Uniswap and repeated this process until the Uniswap exchange dries up and brings the token price to 0.

They reported the incident to us within minutes The attack happened and our security analysts immediately began assessing the situation.

We conclude from this The attack was likely designed from within and involved an injection of malicious code at the time the code was deployed. Change the code of OpenZeppelin dependencies.

The function that was exploited was not part of the audit we conducted as it was added after the Axion code was “flattened” linked to the OpenZeppelin code. and pasting into the OpenZeppelin code before it was released.

Plan the attack

The hacker used anonymous means of Tornado.Cash the day before the attack, suggesting a deliberate attack. Presumably to save money in case the attack fails, 2.1 The ETH was returned to Tornado.cash immediately after receipt of the credit.

To complete the preparation for the attack, The hacker bought around 700,000 HEX2T tokens on the Uniswap exchange. However, these funds were ultimately not used for the attack and served as a smoke screen for the attack to develop.

preparation

The hacker began to break through his attack by creating an “empty” part of the Axion Network stake out contract that starts the deployment function with an amount of 0 and a duration of 1 day at approx. 09:00 am + UTC. This created a session entry for the attacker An amount of 0 and a value of 0 shares in session ID 6.

Then, The attacker approved an unlimited amount of AXN for the Uniswap exchange in the expectation that his plan would be successful. As a result, they approved Axion’s NativeSwap contract for the amount they wanted to convert into AXN tokens.

The NativeSwap contract deposit function has started However, around 10:00 a.m. + UTC, the hacker never initiated the contract withdrawal function to claim his exchanged AXN, as evidenced by NativeSwap swapTokenBalanceOf. After that, they were unable to start the depot function before carrying out the attack.

Get it going

These transactions were just smoke screens to see how the unstake attack was carried out. Since the transactions carried out by the attacker did not result in any changes to the association session data, We concluded that it was a multidirectional attack.

We examined the source code for the contract in the GitHub repository that was shared with us to identify a bug that would result in the mapping session data being affected.

We could not determine any assignment to her or her members outside of the operational functions. which led us to question whether the contracts were being used properly.

Attack vector

After analyzing the source code of the provided stake out contract We find a code injection in the AccessControl OpenZeppelin library between L665-L671 of the source code provided for the stake out contract. The function checkRole linked is not part of the implementation of OpenZeppelin v3.0.1, This was listed as a dependency in the project’s GitHub repository.

The following assembly block is located in the checkRole function:

This particular function allows a particular address to perform arbitrary contract writing based on the input variables it supplements with low level calls. Commented the mounting block would look like this:

this function injected at the time of deploymentas it is not present in the OpenZeppelin AccessControl implementation, which means that Members of the Axion network involved in providing the token acted maliciously.

Finally

The attack used code that was deliberately inserted before the protocol was started. This incident has nothing to do with the audits carried out by CertiK and the party responsible for the attack was someone who appears to have been involved in delivering the Axion Network contracts.

As an additional level of security Audit reports should be standardized to include the addresses of the smart contracts deployed whose verified source code matches that of the audited entity.

Security Oracle serves as a security intelligence chain relay, Perform security reviews, including reviewing implemented smart contracts to match against verified versions.