Post-mortem: BiFi-BTC illegal address registration


It has come to our attention that there was an attack on the BTC address registration server of our BiFi service. The BiFi Team has successfully removed all systems that were used for the attack. In order to safeguard BiFi from potential attacks, we have temporarily suspended the native Bitcoin lending service on BiFi. The service will gradually resume once we verify that all components are secure. The BIFROST Foundation will compensate for all losses caused by the recent incident and ensure that there are no further issues. All BiFi services, except for BTC lending, are operating without any issues.

Based on our analysis, the attack was limited to the BTC address registration server, and no vulnerabilities have been detected in both the smart contracts and the BiFi protocol. The BiFi Team has currently removed all sensitive data that might be breached. Thus, the security audit by Theori on the BiFi components is still valid. No user records have been illegally modified and all assets are being securely monitored. Please rest assured that we are currently working with leading security firms to analyze problems, seek better solutions and ultimately prevent potential threats to our protocol.

Event Analysis

Attacker Information


  • address:bc1qmgh7w47myz7kt7x34zqlr5azck7u8j8ewg3u2j
  • pubkey hash: 0xDa2fe757Db20Bd65F8D1a881F1D3a2C5BdC3c8F9


  1. 2022. 07. 08 11:13 AM UTC: Attacker registered the deposit address into the BiFi BTC contract. (using the stolen key in the manipulated message)


2. 2022. 07. 08 11:03 AM UTC: Attacker deposited 312 BTC to the manipulated BTC address. (this process occurred almost simultaneously with the previous process as there can be errors with the block timestamp of Bitcoin)


3. 2022. 07. 0.8 11:34 AM UTC: Relayer detected the deposit and delivered the verified deposit history to BiFi.


4. 2022. 07. 08 12:17 PM UTC: Relayer confirmation (BiBTC, a token representing BTC collateral, was minted and delivered to the attacker)


5. 2022. 07. 08 1:35 PM UTC: Attacker borrowed 1,852 ETH


Measures Taken

We are working with other authorities and services to track down the attacker and gather the attacker’s information. We will not take legal action if the attacker returns 90% of the stolen funds. We will work closely with the authorities until the attacker returns the funds.



Universal Multichain Middleware for DApps:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store