TBPro issue(03052019) report v0.1
The contract of TRX Pro was hacked at 4/29/2019 8:00 PM (Singapore time).
The total balance of the contract was stolen by a hacker named wojak (26,723,478.428024 TRX) (TX:https://tronscan.org/#/transaction/e26666a806e24697fd049e60cf83cf412f58d85cdb0493c014cef0d29d8bdc2e)
We contacted the hacker (wojak) through discord at the first time. Wojak said that he would issue a refund in the discord community.
In the next 24 hours, he did not respond anything about refund. At the same time we found that the fund in his Tron address(THeRTTCvN4SHEVYNqcLVLNGGVsWLR4smyH) was transferred to Binance Exchange.
We contacted some secure teams and users who have clues through TronBank telegram and Discord channel and finally figured out what happened. Thanks for your efforts!
We found that:
- Khanh (Author of https://tronsmartcontract.space/#/author, Tron address:TTX5N2wxLeyWBSNE6UeaBjCFZbpa2FH6jr) made a backdoor and injected the backdoor code to our TRX Pro(TBPro) contract during code compiling and deploying.
- Wojak used that backdoor code and stole all the balance of the contract and then transferred them to Binance Exchange.
TimeLine of this issue
Most of the research is based on the discuss in the group created by TronBank users. You guys helped a lot. Thanks for your efforts!
- We deployed the test contract of TBPro on Tron mainnet at 4/28/2019 4:07 PM (SGT) https://tronscan.org/#/contract/TAWLPqFn33U7iaAfP6cXRdJXcBUc1ewCRJ
- Khanh (TSC: TronSmartContract.space) saw our contract and deployed a test fake contract with same name “TBPro” based on our code at 4/28/2019 5:35 PM (SGT) https://tronscan.org/#/contract/TYZ4oPdPmwZS9xTUXhnFtQkPFFTi2iAydz (He created the contract with his own address: TTX5N2wxLeyWBSNE6UeaBjCFZbpa2FH6jr, showing on the donate page of TSC website)
AND he added two backdoor functions in this fake contract to test:
- (a). If someone runs withdraw() with (0.11011 TRX) and the “OK” string is returned, then that means the backdoor code is working.
- (b). If someone runs withdraw() with (0.011911 TRX) then that person will withdraw all the balance of the contract.
After he deployed contract, Khanh also tested the backdoor function at 4/30 by using his address (TTX5N2wxLeyWBSNE6UeaBjCFZbpa2FH6jr, showing on donate page of TSC website)
3. We deployed the first release version contract of TBpro complied by tronbox at 4/28/2019 10:01 PM. https://tronscan.org/#/contract/TE3p4cQ8VBfM1KFatADXJjsJBY2THEUrT7 Then we tried many times to verify the code on TSC (TronSmartContract.space), with the contract code, but it doesn’t work. TSC always returns “Can not be verified”. (We think TSC changed verify function that can not be verified at this time)
4. Then we can only try to use TSC to deploy again and verify (after searching on google we found some answers in discord that you can use TSC to compile and deploy). This time compiling and deploying takes a long time but finally the code verification passed on TSC. https://tronscan.org/#/contract/TW9AE7u5QADp2uej9xdaNVTYtqsRuJZNxJ That’s how Khanh(TSC) can inject the backdoor code to our contract. He can do anything during compiling and deploying.
Another clue: before we verified the contract on TSC, Khanh deleted the git commit of all the contract verified.
5. 12 minutes after we deployed the final contract, Khanh(TSC) tested the backdoor function he injected at 4/28/2019 11:00 PM (SGT). He tested the “OK” function to make sure the backdoor code works. https://tronscan.org/#/transaction/d6d89713ebdb98402ddfd1d454be394a5521c83b7d385ce2c394924a2b923c89
6. A Hacker named Wojak (discord name, address:THeRTTCvN4SHEVYNqcLVLNGGVsWLR4smyH) ran the withdraw function with (0.000123TRX), and the contract reverted and nothing happened. https://tronscan.org/#/transaction/aabfc7b6cedb2e8ce055c7fdc7a62df558213c63a33092293886b0e4b58277e5
- Wojak ran the withdraw function with (0.011911 TRX, the amount Khanh set in the backdoor code) at 5/3/2019 4:12 AM, and the backdoor code worked. All the balance (26,723,478.428024 TRX) was transferred to his address (THeRTTCvN4SHEVYNqcLVLNGGVsWLR4smyH)