Aergo Swap Incident Report (Updated-Final)
This incident report summarizes a transaction conducted through the Aergo Swap service, which was detected as suspicious by the Fraud Detection System (FDS). The report includes actions taken and the causes identified.
Summary:
7.7 million Aergo tokens were withdrawn via the Aergo Swap service. All transactions were processed normally, with precise amounts transferred between the Aergo and ERC vaults. The swap service has been temporarily halted by our threat detection system due to an unusually high amount of transactions. We are conducting a comprehensive review of all systems and will resume service once everything is verified.
*Both vaults and the bridge have not been compromised by any hacks and remain secure.
1. Details of the Incident
Beginning with block 19905987 at 07:11:59 on May 19, 2024 (UTC), a notably large transaction marked the start of suspicious activity. The total Aergo tokens withdrawn in these suspicious transactions amounted to 7,706,818.22.
2. Issues and Root Cause Analysis
- The transactions were confirmed to have been made from the wallet “Am…Kp,” owned by an early Aergo investor(s).
- This old multisig wallet has held tokens since the TGE and transferred funds based on a Lua Contract. Aergo scan decompiles the contract bytecode and collects related information based on Elasticsearch to provide to the FDS. A LuaJIT-related bug caused the decompile to fail, and as a result, it was not properly reflected in the Aergo scan, leading the FDS to suspect the transaction.
- The failure to display transaction data correctly in Aergo scan was due to a LuaJIT-related bug that caused the decompile of the contract bytecode to fail. Consequently, the FDS did not reflect accurate transaction information.
- Additionally, Aergo’s LuaJIT does not support logging for Internal Transactions, which could make funds transfers appear untraceable on the Aergo scan.
3. Immediate actions
Following the detection of these unusual activities, we temporarily suspended the Aergo swap service. All functionalities have been put on hold, and emergency inspections are underway to assess and rectify the situation.
4. Action Items
- Due to the potential for manipulation of LuaJIT bytecode, which makes decompiling unreliable and poses security risks, a hotfix will be applied more quickly than planned as part of an already scheduled network upgrade.
- The upcoming upgrade will include the addition of Internal Transaction Logging capabilities.
5. Final Notes
We’ve temporarily halted operations on the swap service due to a false alarm caused by functionality limitations in Argoscan, which our Fraud Detection System (FDS) relies on for monitoring bridge vaults. We are currently focused on confirming the security of the funds held in the bridge Vault.
Upon the initial review, the issue with the bridge Vault and associated services was not due to a security vulnerability. Instead, it stemmed from a malfunction in the Fraud Detection System (FDS) triggered by an error in the explorer. This incident has been identified as a technical error, and we are confident there are no additional security concerns.
The enhancement of the Aergo Scan Explorer is actively underway. We are diligently working through the development and review processes, anticipating the completion of these improvements within two weeks following the resumption of bridge operations.
Aergo Scan does not currently show information on internal transactions, which are exchanges between contracts. Consequently, the source of funds for transactions involving multi-sig wallets may not appear on Aergo Scan. The funds originate from one of the early participants.
The swap service is expected to resume on June 5th at the latest. We are conducting extensive testing to ensure its smooth operation upon reopening.
