Analysis on KickICO hack: part 2
What did the new owner do?
As we described in part 1 of this article, the current owner of the smart contract for Bancor Converter transfers the ownership of the smart contract to account 0x1d68 in the transaction shown below.
Transaction Hash: 0xc478731d4876c0a669e83df7489c1e08a67e755f60fc96614be2db1177178093
Status: Success
Block: 6034847 2731585 Block Confirmations
Timestamp: 448 days 23 hrs ago (Jul-26-2018 06:31:10 PM +UTC)
From: 0x5031129a4a1c0eaa0b98f989f9f3087c9a236451
To: Contract 0x51907923c3280c24b6b69b0d217ea34cabde684d (Bancor: Converter #54)
Value: 0 Ether ($0.00)
Transaction Fee: 0.000611499 Ether ($0.11)
Gas Limit: 29,119
Gas Used by Transaction: 29,119 (100%)
Gas Price: 0.000000021 Ether (21 Gwei)
Nonce Position 5789 35
Input Data: Function: changeOwner(address _newOwner)
MethodID: 0xa6f9dae1
[0]: 0000000000000000000000001d6835b6242d4062b99e2cca41b08ad1de059ec4This transaction happened on Jul-26–2018 06:31:10 PM +UTC. At this point, the owner of the Bancor Converter is 0x1d68, and 0x5031 can no longer trigger functions that require ownership privilege in Bancor Converter as well as KickCoin.
Before this transaction, the existing owner also sent 7 Ethers to this new owner of the contract.
Transaction Hash: 0x751d5b06e5b2aba2c4725e2d427e78963511ab4ed1fd445870b781dbff3bb2c4
Status: Success
Block: 6034817 2731644 Block Confirmations
Timestamp: 449 days 7 mins ago (Jul-26-2018 06:24:09 PM +UTC)
From: 0x5031129a4a1c0eaa0b98f989f9f3087c9a236451
To: 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4
Value: 7 Ether ($1,225.98)
Transaction Fee: 0.000441 Ether ($0.08)
Gas Limit: 21,000
Gas Used by Transaction: 21,000 (100%)
Gas Price: 0.000000021 Ether (21 Gwei)
Nonce Position 5788 21
Input Data: 0xThe creation time of this transaction is Jul-26–2018 06:24:09 PM +UTC and it is about 7 minutes before the ownership was transferred.
By looking at the history of transactions for account 0x1d68, we can find that the transaction transferring 7 Ethers from 0x5031 to 0x1d68 is the first transaction involving 0x1d68. Thus, account 0x1d68 is a brand new one and it does not interact with the world of Ethereum blockchain until this transaction that transfers 7 Ethers from 0x5031 to it.
The problem is: who does this account 0x1d68 belong to, the attackers or the KickICO team?
To answer this question, let us investigate what has account 0x1d68 done after it take over the ownership of the smart contract for KickCoin.
Here is the history of transactions involving account 0x1d68, ordered in descending timestamps.
Txn Hash Block Date Time (UTC) From To Value [Txn Fee]0x8a7aabe53346bce2f62282f53a582cc4305296b0a53f26683f34f881da981987 6103727 2018-08-07 9:15:16 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT 0x40c38f16eb164de15a65bcb70643ad4533067e3f 1.3943734746 Ether 0.0004410x277765277ae0ceb3423f087511efe64b072a7676f7849747497383e2845167d8 6103723 2018-08-07 9:13:58 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.001826660xd50330eefeeffdcedc80ec73c595617310829e1e22c2f85c688004f811514ddc 6103697 2018-08-07 9:07:07 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT Bancor: Converter #54 0 Ether 0.000611490x573a3ec04b66a1a4523874414c4c5944270378ebe0f09f5a06f45d2b696d9376 6103602 2018-08-07 8:41:18 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT 0x9eacc3ad741df864de7ceb6f08cb733f97646109 5.5 Ether 0.0004410xab390a55ffa4ee94c7a66da027352adb45e17d4bce064315cc952163cb273a1e 60560302018-07-30 7:46:34 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000063650xd4a699f798e43217af325165421fb397c62648b5cee552bf25e000b98e4019e7 6056024 2018-07-30 7:44:18 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.00022030xb16e92cd439516aebe4b1f3a6422620eecd9f6c1156fd4fefb781732d857a9eb 60560082018-07-30 7:40:51 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990xe88377fa0514f5b959821fd0027cabf0e3a92fff5091cc16651a1742e819b0ef 60560042018-07-30 7:39:48 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x45bf79ac0c885432686105ad062ce9f0b1810f334d956c3187f704613ac54664 6056000 2018-07-30 7:39:20 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x6ca48bd2ad7622db769f44b43b7b8b8101e4726cfbc949f30212d8fb81e8dd1d 6055996 2018-07-30 7:38:50 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850xac96c2bfba3233f49af8894802a44b8d0b9798ec9307504a2eaa9181e33fc95d 6055996 2018-07-30 7:38:50 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x3b03b5aaea9181d8ba19b190da06450b72a5424693ce705b224aa89f0c23f1f2 6055996 2018-07-30 7:38:50 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053710xc720bffee53c46c787020a191f2bf307b9b73297a2829813bff3b276ab76abd6 6055989 2018-07-30 7:37:11 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x4dd981ceceee3b8dc9c74a2e915b3bbefef91b46e8cb8881766554d23adb32e7 6055986 2018-07-30 7:36:32 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850xaa92fb4209d7fd41fc74a1ff1b3e6c1c37cb660c2a137e492b93441a0dec3535 6055970 2018-07-30 7:32:32 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053710xf7829c2875a82f6c8f832e8902f9f9ef1ebaa14e5a6b87c3d5ea3bb4da79a8d1 6055967 2018-07-30 7:32:09 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x01677dae53be73278685651dccb91521f2b8ea1fd08ded4376cfb173e433b836 6055965 2018-07-30 7:31:42 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x128509608c2fde85c62cd4593df9210f039088bcf80ed0c583ebfa8dd1c1e5f1 6055963 2018-07-30 7:31:26 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x1d2d205f95dbeb3e55f0a5c6b2ca02e973c7cd21ff34bd8fdf62bb4600b444c6 6055956 2018-07-30 7:29:34 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990x5587e72d873518849a1963cac908f134d0a01dbf7473ae70ac0a6a5858be2bb0 6055950 2018-07-30 7:28:30 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x2d8658701f71cb9ac08a69533f23c9194ba0a82a56777ee36d984544901afb0d 6055950 2018-07-30 7:28:30 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850x383e8d721304619cb0beab3f16179dcee634863db084d4f731f6848f7247de40 6055948 2018-07-30 7:27:20 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850xef41b08a94117053370c950c5f80b9532e89fb19b939d93e06924e88d12d8841 6055941 2018-07-30 7:26:01 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990x80ac6233904d4217c5daa0db5970d0e452da4c095644b1e5903ead612831d6ea 6055939 2018-07-30 7:24:40 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053850xb649d982e01295b6cd8bc665e092640ab742b4097a2bc38dfee54eb4f17e088f 6055916 2018-07-30 7:19:42 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990x84d550208da88acb9f998534f8387d0e281362aa826a6d803f62f033da189dd0 6055914 2018-07-30 7:19:02 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990x148d5ff428b28570ef04a5cb1fdf9b8e362bf80c121b03aeb64beccf0f28fdc3 6055911 2018-07-30 7:18:19 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990x7d6ca4143b0b79ae8fa9f5ab0a252fbebf3b09a35335c35e896f3300aad70cdc 6055907 2018-07-30 7:17:24 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990x50e96a7a34555b671e04656a3aa0cdff79fb46d10927b738bf4a8525e1f1f0c1 6055903 2018-07-30 7:16:17 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990xc81f9ce6a85fcbd1152fc07b0b5930bf6a3ffd74142735011027efca8fbbe3fe 6055899 2018-07-30 7:15:13 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990xa431d0dab2b9300016f915eca47ece149e10819da5257b8b8e8ab4c8556e74fb 6055890 2018-07-30 7:13:50 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000053990x7127146ef458de7586e3d84036010a86585ea32b70b8298958743f8bd38f4e87 6055879 2018-07-30 7:10:39 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000082630x3cf526da95b072e91e2fdbfcc300629fdd84172f589f8e0ac60ea491bbf7f305 6055879 2018-07-30 7:10:39 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT KickICO: Old Token 2 0 Ether 0.000082630x1a02cd70fdd6b95cd07120729ee5070da5e639b6fbb7fe40a887024e4efa128d 6055870 2018-07-30 7:06:19 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT Bancor: Converter #54 0 Ether 0.000068720xcdab540dc21ea3869bb21d283de6028e9a197c5e57f43155e49392254fb6561d 6034837 2018-07-26 18:29:11 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 OUT 0x1577d88ea21cedb1c7521ed3f8e16d99fbecbd97 0.1 Ether 0.0004410x751d5b06e5b2aba2c4725e2d427e78963511ab4ed1fd445870b781dbff3bb2c4 6034817 2018-07-26 18:24:09 0x5031129a4a1c0eaa0b98f989f9f3087c9a236451 IN 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 7 Ether 0.000441
As pointed out before, the first transaction for 0x1d68 (at the very bottom of the list) is token transfer from 0x5031 to 0x1d68.
The next transaction in the history of 0x1d68 transferred 0.1 Ethers to another account by 0x1d68. The purpose of this transaction, I guess, is just to make sure that account 0x1d68 works properly and it can send out transactions correctly.
The operations on KickCoin and Bancor Converter begin with the following transaction.
Transaction Hash: 0x1a02cd70fdd6b95cd07120729ee5070da5e639b6fbb7fe40a887024e4efa128d
Status: Success
Block: 6055870 2710557 Block Confirmations
Timestamp: 445 days 11 hrs ago (Jul-30-2018 07:06:19 AM +UTC)
From: 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4
To: Contract 0x51907923c3280c24b6b69b0d217ea34cabde684d (Bancor: Converter #54)
Value: 0 Ether ($0.00)
Transaction Fee: 0.0000687236 Ether ($0.01)
Gas Limit: 37,560
Gas Used by Transaction: 31,238 (83.17%)
Gas Price: 0.0000000022 Ether (2.2 Gwei)
Nonce Position 1 108
Input Data: Function: changeTokenOwner(address _newOwner)
MethodID: 0x0f809adb
[0]: 0000000000000000000000001d6835b6242d4062b99e2cca41b08ad1de059ec4This transaction triggers the function changeTokenOwner() in the Bancor Converter to transfer ownership of the token to 0x1d68. At this point, 0x1d68 is the owner of both Bancor Converter (0x5190) and KickCoin (0x2769).
Please note that the timestamp of this transaction is Jul-30–2018 07:06:19 AM +UTC. It occurred almost 4 days after 0x1d68 took over the ownership of Bancor Converter, which happened on Jul-26–2018 06:31:10 PM +UTC.
We all remember that the same function changeTokenOwner() in the Bancor Converter is also called by the attackers at the beginning of the hack. For convenience, we repeat that transaction below.
Transaction Hash: 0xac763632e265696f32db6e76513c07aac02f613a8df7f2494c6bc42a6987227f
Status: Success
Block: 6029499 2737734 Block Confirmations
Timestamp: 450 days 38 mins ago (Jul-25-2018 08:41:11 PM +UTC)
From: 0x5031129a4a1c0eaa0b98f989f9f3087c9a236451
To: Contract 0x51907923c3280c24b6b69b0d217ea34cabde684d (Bancor: Converter #54)
Value: 0 Ether ($0.00)
Transaction Fee: 0.000406094 Ether ($0.07)
Gas Limit: 31,300
Gas Used by Transaction: 31,238 (99.8%)
Gas Price: 0.000000013 Ether (13 Gwei)
Nonce Position 5733 21
Input Data: Function: changeTokenOwner(address _newOwner)
MethodID: 0x0f809adb
[0]: 0000000000000000000000005031129a4a1c0eaa0b98f989f9f3087c9a236451By comparing these two transactions, we can notice the following differences.
- their settings on gas limit are different: 37,560 vs 31,300
- their settings on gas price are different: 2.2 Gwei vs 13 Gwei
So, it is unlikely that these two transactions are sent out by the same person. In fact, all transactions created by the attackers introduced in part 1 of this article use gas price of 13 Gwei.
After becoming the owner of the smart contract for KickCoin token, 0x1d68 sends out the following transaction.
Transaction Hash: 0x3cf526da95b072e91e2fdbfcc300629fdd84172f589f8e0ac60ea491bbf7f305
Status:Fail
Block: 6055879 2710557 Block Confirmations
Timestamp: 445 days 11 hrs ago (Jul-30-2018 07:10:39 AM +UTC)
From: 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4
To: Contract 0x27695e09149adc738a978e9a678f99e4c39e9eb9 (KickICO: Old Token 2)Warning! Error encountered during contract execution [Out of gas]Value: 0 Ether ($0.00)
Transaction Fee: 0.000082632 Ether ($0.01)
Gas Limit: 37,560
Gas Used by Transaction: 37,560 (100%)
Gas Price: 0.0000000022 Ether (2.2 Gwei)
Nonce Position 2 197
Input Data: Function: destroy(address _from, uint256 _amount)
MethodID: 0xa24835d1
[0]: 0000000000000000000000006e808fc8786988695332f5a95721b1a5a3209ef3
[1]: 000000000000000000000000000000000000000000000000000370670947195a
This transaction attempts to trigger function destroy() in the smart contract for KickCoin (i.e., 0x2769). However, it fails due to out of gas.
After a couple or failed attempts, 0x1d68 finally adjusts the gas limit and sends out the following transaction.
Transaction Hash: 0xa431d0dab2b9300016f915eca47ece149e10819da5257b8b8e8ab4c8556e74fb
Status: Success
Block: 6055890 2710554 Block Confirmations
Timestamp: 445 days 11 hrs ago (Jul-30-2018 07:13:50 AM +UTC)
From: 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4
To: Contract 0x27695e09149adc738a978e9a678f99e4c39e9eb9 (KickICO: Old Token 2)
Tokens Transferred:
From 0x6e808fc8786988695332f5a95721b1a5a3209ef3 To 0x27695e09149adc738a978e9a678f99e4c39e9eb9 For 9,680,127.69728858 KickCoin (KICK)
Value: 0 Ether ($0.00)
Transaction Fee: 0.0000539924 Ether ($0.01)
Gas Limit: 40,000
Gas Used by Transaction: 24,542 (61.36%)
Gas Price: 0.0000000022 Ether (2.2 Gwei)
Nonce Position 4 83
Input Data: Function: destroy(address _from, uint256 _amount)
MethodID: 0xa24835d1
[0]: 0000000000000000000000006e808fc8786988695332f5a95721b1a5a3209ef3
[1]: 000000000000000000000000000000000000000000000000000370670947195aAll the settings of this transaction are the same as those of the previous failed transaction except that the gas limit is increased from 37,560 to 40,000 units.
This transaction burnt tokens from a given account. In this case, total amount of 9,680,127.69728858 KickCoin tokens from account 0x6e80 are destroyed.
Who is this account 0x6e80?
It is exactly one of the accounts that accept KickCoin tokens issued by the attackers during the hack. For convenience, this transaction that mints tokens to account 0x6e80 is repeated here.
Transaction Hash:
0x37c2de3356f42ead6d65f412e60609367309dd47f7a66de6af920a8b5315a735
Status: Success
Block: 6029897 2739267 Block Confirmations
Timestamp: 450 days 6 hrs ago (Jul-25-2018 10:17:33 PM +UTC)
From: 0x5031129a4a1c0eaa0b98f989f9f3087c9a236451
To: Contract 0x27695e09149adc738a978e9a678f99e4c39e9eb9 (KickICO: Old Token 2)Tokens Transferred:
From 0x27695e09149adc738a978e9a678f99e4c39e9eb9 To 0x6e808fc8786988695332f5a95721b1a5a3209ef3 For 9,680,127.69728858 KickCoin (KICK)Value: 0 Ether ($0.00)
Transaction Fee: 0.001301781 Ether ($0.23)
Gas Limit: 100,137
Gas Used by Transaction: 100,137 (100%)
Gas Price: 0.000000013 Ether (13 Gwei)
Nonce Position 5785 27
Input Data: Function: issue(address _to, uint256 _amount)
MethodID: 0x867904b4
[0]: 0000000000000000000000006e808fc8786988695332f5a95721b1a5a3209ef3
[1]: 000000000000000000000000000000000000000000000000000370670947195aIt can be seen that the account Id and total amount of tokens are exactly the same in these two transactions. The difference is that: the tokens issued to the attackers’ account is destroyed by account 0x1d68.
In fact, this process for destroying tokens that were issued to the accounts under attackers’ control is repeated 25 times. The information on the accounts and their amounts of destroyed tokens is describe below.
step account amount1 6e808fc8786988695332f5a95721b1a5a3209ef3 9680127.697288582 cc411de472b7919eba1960cefcc2136ce208a7de 3883562.262506013 e44a1c8cff9dcfb35aa1af9817aa5e8e4c32cc8b 5002706.852603264 70c4af018b6917668e3b54a298d06b4afff68ba3 5000654.579553175 e870df4d8f44ac27970d1567cde0720f1f7ce30a 3663276.160100346 0ee38a9f3d8aab56e8dcc29594438d442592fa04 3868528.895402957 fc252695c00c60229579209096c8a402675e53f4 3804901.592035688 eebb6b66ae3c70f7bb91bd7d97acf16e3b4dd6dd 2165347.59203419 700fab0a4ae129b8e5857fe61b063568ab872326 3565329.76119510 3e6d2afab54fb63f7fde2db01d3edc598c5c1b70 3300000.011 245ca149826fd38dec0452e93d4d32d8614b4e27 2250000.3047479812 9275fbc2bc935c040d58de825f326a89d81c4997 2165347.592034113 de8454202e6db153b9bfa5d795779ac3c11a681e 3883562.2625060114 ad66ffe3eb13d60e73099e756f7c54ed557e63e6 1189273.3211451715 b2e3e3ffa9829309e7f29e3cc202911ff11b67a2 1014242.7753329316 323aab5d1c016f18f78bad52df4d394954f26280 896379.1017467917 8b5efdd016060c3abbf5153e5cf0af7d407b390a 520000.018 9c17ef3d254080909b07eaef0aaf40d10220dfee 3244386.019 3d86bd475d0d348634bbb67d4d997752b9b252f0 557424.1827248320 de9aa9ed211ec640d393d82d53ff46ff2e041083 531000.021 c7992207826e795659f1ce5f2b19e6dbc797c268 525615.6996154522 0f4c9317b6613216bb2f1e2c4ce10393bf29aa15 500101.8816668723 09897e84f4d30870e3f5e98683178be1fbd4f894 484992.177405924 173907c4c743ddb7762d2f97f335589852b0c16c 471599.1505543725 20ff0491447c6cb8e34eaa89af9747daff68aeb5 6110247.1475
It can be computed that the total amount of token destroyed is 68,278,606.9896995 KickCoin.
After destroying tokens from these 25 accounts, 0x1d68 issues the same amount of tokens to its own account.
Transaction Hash: 0xd4a699f798e43217af325165421fb397c62648b5cee552bf25e000b98e4019e7
Status: Success
Block: 6056024 2710491 Block Confirmations
Timestamp: 445 days 11 hrs ago (Jul-30-2018 07:44:18 AM +UTC)
From: 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4
To: Contract 0x27695e09149adc738a978e9a678f99e4c39e9eb9 (KickICO: Old Token 2)
Tokens Transferred:
From 0x27695e09149adc738a978e9a678f99e4c39e9eb9 To 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4 For 68,278,606.9896995 KickCoin (KICK)
Value: 0 Ether ($0.00)
Transaction Fee: 0.0002203014 Ether ($0.04)
Gas Limit: 150,000
Gas Used by Transaction: 100,137 (66.76%)
Gas Price: 0.0000000022 Ether (2.2 Gwei)
Nonce Position 29 123
Input Data: Function: issue(address _to, uint256 _amount)
MethodID: 0x867904b4
[0]: 0000000000000000000000001d6835b6242d4062b99e2cca41b08ad1de059ec4
[1]: 000000000000000000000000000000000000000000000000001841e73389b75eAt this points, all tokens issued by the attackers to the accounts under their control have been burnt and the same amount of tokens is now hold by account 0x1d68.
Then, 0x1d68 restore the ownership of the smart contract for KickCoin to Bancor Converter in the following transaction.
Transaction Hash: 0xab390a55ffa4ee94c7a66da027352adb45e17d4bce064315cc952163cb273a1e
Status: Success
Block: 6056030 2710479 Block Confirmations
Timestamp: 445 days 10 hrs ago (Jul-30-2018 07:46:34 AM +UTC)
From: 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4
To: Contract 0x27695e09149adc738a978e9a678f99e4c39e9eb9 (KickICO: Old Token 2)
Value: 0 Ether ($0.00)
Transaction Fee: 0.000063657 Ether ($0.01)
Gas Limit: 150,000
Gas Used by Transaction: 28,935 (19.29%)
Gas Price: 0.0000000022 Ether (2.2 Gwei)
Nonce Position 30 139
Input Data: Function: changeOwner(address newOwner)
MethodID: 0xa6f9dae1
[0]: 00000000000000000000000051907923c3280c24b6b69b0d217ea34cabde684dTherefore, Bancor Converter (0x5190) is now the owner of smart contract KickCoin (0x2769), and 0x1d68 is still the owner of Bancor Converter.
Up to this point, account 0x1d68 has successfully recovered all KickCoin tokens stolen by the attackers and kept those tokens under its account.
But we still can not verify that account 0x1d68 is not under attackers’ control.
So, let us further investigate in next section.
Ownership changes again
Some time later, the ownership of the smart contract for Bancor Converter is change again in the following transaction.
Transaction Hash: 0xd50330eefeeffdcedc80ec73c595617310829e1e22c2f85c688004f811514ddc
Status: Success
Block: 6103697 2662849 Block Confirmations
Timestamp: 437 days 9 hrs ago (Aug-07-2018 09:07:07 AM +UTC)
From: 0x1d6835b6242d4062b99e2cca41b08ad1de059ec4
To: Contract 0x51907923c3280c24b6b69b0d217ea34cabde684d (Bancor: Converter #54)
Value: 0 Ether ($0.00)
Transaction Fee: 0.000611499 Ether ($0.11)
Gas Limit: 29,119
Gas Used by Transaction: 29,119 (100%)
Gas Price: 0.000000021 Ether (21 Gwei)
Nonce Position 32 23
Input Data: Function: changeOwner(address _newOwner)
MethodID: 0xa6f9dae1
[0]: 00000000000000000000000097d0f750a522445308ad43fd96a78f475d0439f1The timestamp for this transaction is Aug-07–2018 09:07:07 AM +UTC, which is more than 8 days after 0x1d68 recovered the stolen tokens.
This transaction transfers the ownership of smart contract for Bancor Converter to 0x97d0 and this smart contract controls the smart contract for KickCoin.
By looking at the history of the transactions by 0x97d0, we can see that this account is active in managing the smart contracts for Bancor Converter and KickCoin until 2019–08–29 12:03:58 UTC. If accounts 0x1d68 and 0x97d0 belong to attackers, then it is counter intuitive that they are still active after the hack has been exposed to the public.
Of course, the most convincing evident to confirm that accounts 0x1d68 is not under the control of attackers is that the KickCoin tokens hold in account 0x1d68 are eventually used to refund the victims.
The refund process will be covered in the next part of the article.
