Jul 10, 2022
Post-mortem: BiFi-BTC illegal address registration
Overview
In developing all our services, we have always prioritized and valued the trust of our community members. Thus, we are deeply sorry to share the news about the unfortunate incident relating to the attack on BiFi.
It has come to our attention that there was an attack on the BTC address registration server of our BiFi service. The BiFi Team has successfully removed all systems that were used for the attack. In order to safeguard BiFi from potential attacks, we have temporarily suspended the native Bitcoin lending service on BiFi. The service will gradually resume once we verify that all components are secure. The BIFROST Foundation will compensate for all losses caused by the recent incident and ensure that there are no further issues. All BiFi services, except for BTC lending, are operating without any issues.
Based on our analysis, the attack was limited to the BTC address registration server, and no vulnerabilities have been detected in both the smart contracts and the BiFi protocol. The BiFi Team has currently removed all sensitive data that might be breached. Thus, the security audit by Theori on the BiFi components is still valid. No user records have been illegally modified and all assets are being securely monitored. Please rest assured that we are currently working with leading security firms to analyze problems, seek better solutions and ultimately prevent potential threats to our protocol.
Event Analysis
BiFi issues and uses an address for each user who deposits BTC. The deposit addresses are signed and delivered to the address issuing server and the addresses are reflected on BiFi only in the case when the signature is verified. In the attack, the server key of the address issuing server was exposed and the attacker was able to self-sign their own deposit address. Since the attacker could generate a valid signature on the deposit address, BiFi mistakenly recognized the attacker’s BTC transfer as a BTC deposit into BiFi. As a result, the attacker was able to borrow 1,852 ETH with fake deposit.
Attacker Information
eth-address: 0x282971deD7D0B8C5b0358EbEbe3B2bC6A24a6b10
btc-address:
- address:
bc1qmgh7w47myz7kt7x34zqlr5azck7u8j8ewg3u2j - pubkey hash:
0xDa2fe757Db20Bd65F8D1a881F1D3a2C5BdC3c8F9
Timeline
- 2022. 07. 08 11:13 AM UTC: Attacker registered the deposit address into the BiFi BTC contract. (using the stolen key in the manipulated message)
Transaction
2. 2022. 07. 08 11:03 AM UTC: Attacker deposited 312 BTC to the manipulated BTC address. (this process occurred almost simultaneously with the previous process as there can be errors with the block timestamp of Bitcoin)
Transaction
3. 2022. 07. 0.8 11:34 AM UTC: Relayer detected the deposit and delivered the verified deposit history to BiFi.
Transaction
4. 2022. 07. 08 12:17 PM UTC: Relayer confirmation (BiBTC, a token representing BTC collateral, was minted and delivered to the attacker)
Transaction
5. 2022. 07. 08 1:35 PM UTC: Attacker borrowed 1,852 ETH
Transaction
- https://etherscan.io/tx/0x4b5d66871af64da0fd5ac448474235079ae0cb93db70366eed2808ca56dfcf76
- ETH borrowing occurred after 340 Ethereum blocks on BTC deposit
Measures Taken
We have deleted all information related to the exposed key and newly set the key. We have set restrictions to prevent any identical or similar attacks from the same attacker. Additionally, our team is currently analyzing the details of the incident and migrating to a new environment to prevent the attack from reoccurring. The BIFROST Foundation will cover all losses caused by this recent attack and will ensure that there are no further inconveniences in using our services.
We are working with other authorities and services to track down the attacker and gather the attacker’s information. We will not take legal action if the attacker returns 90% of the stolen funds. We will work closely with the authorities until the attacker returns the funds.
