Hack Track: Axion Network
Merkle Science Hack Track provides digestible insights on the movement of stolen funds from the latest cryptocurrency heists.
[Scroll below to skip to our analysis of the stolen fund movements]
Who was hacked?
The high-interest cryptocurrency investment platform, Axion Network’s recently launched AXN tokens have been breached and exploited.
What was stolen and when?
According to a report published by Coin Telegraph (also quoted by Axion on its website), on Nov. 2, the Axion Network launched its new token, known as AXN. A few hours after the high-profile launch, however, it became clear that the token has been breached. An unauthorized actor unexpectedly minted 79 billion AXN and unloaded them on the market. The price collapsed in excess of 99%, netting the attackers 1300 ETH — worth an estimated $500,000.
Why did the hack take place?
In the report published by Coin Telegraph on the behalf of Certik Foundation, on the 2nd of November 2020 at approximately 11:00 AM +UTC a hacker managed to mint around ~80 billion AXN tokens by utilizing the unstake function of the Axion Staking contract. The hacker proceeded to then deposit the tokens on the AXN Uniswap exchange for Ether, repeating this process until the Uniswap exchange was drained and the token price was driven to 0. Certik concluded that the attack was likely planned from inside, involving an injection of malicious code at the time the code was deployed by altering code from OpenZeppelin dependencies
What is the impact of the hack on the firm’s clients?
In a post on Twitter just after the breach, Axion assured that all its customers holding AXN/HEX2T tokens at the time of breach will be compensated.
Later on Nov. 3, Axion posted a detailed statement on Twitter highlighting how they will be compensating the users. , Axion said that “everyone will be compensated as fairly and fully as possible. We’re still here and more resilient than ever. One man can not take us down, this community is strong. We will persist and grow stronger than ever.”
Where are the stolen funds going?
After the hacker dumped all the AXN tokens to Uniswap and cashed out for a total of 1652 ETH over multiple transactions, 1300 ETH were then sent to another address “0x3018C81dCB9cAA2554d226d5a1A929dd319F085D”. There is no further movement of funds from this address. However, our data scientists noticed that hackers were using Tornado cash, a coin mixing service for Ethereum, to obfuscate the history of ether (ETH) transactions.
What is Tornado Cash?
Tornado cash is one of the coin mixers in the Ethereum blockchain. It allows hackers to create a private key (almost like a password converted to a hash) while making a deposit of funds to a particular smart contract, let’s call it Smart Contract A. At a later period when the users want to withdraw the funds, they can access their smart contract address, in this case, Smart Contract A using their private key. The said smart contract will then match the key with the deposited funds and instruct a different smart contract (let’s call that smart contract B) to transfer the funds to an address provided by the user. Smart contract B will then retrieve funds from a vault called anonymity pool, which mostly has funds collected from other past users of the platform, and initiate a transfer to the provided address.
The receiving address could either be a wallet address (priorly used at least once, i.e., one deposit minimum) or it could be a relayer. The wallet must have a small amount in it to be able to pay for and call the smart contract B for initiating the further transfer. In case a user does not have any balance in its wallet or wants to transfer funds to a completely new address, the amount required to call the smart contract B can be paid from the depositor address, thus creating no links between the sending address and the receiving address.
Role of Tornado Cash in Axion Breach
In the case of Axion Network, what may look like 1652 ETH could easily be more. The actual losses will be difficult to determine as the hacker was exchanging the stolen tokens during the rapid price drop of the said tokens.
What can be done to prevent hackers from cashing out?
All exchanges that are receiving funds from Axion breach can freeze the account of the user associated with the incoming transaction (flagged by a blockchain analysis tool), preventing them from trading one currency for other cryptocurrencies, especially anonymous ones, that could then be transferred elsewhere and are more difficult to trace.
Tornado Cash is labeled on Merkle Science’s service and users should treat it as a risky entity. Merkle Science has also updated wallet addresses associated with the Axion breach. All our partners and customers will also receive immediate information if any funds they receive are from the hackers’ wallet
Most exchanges globally share information on stolen fund addresses to deal with such risks and collaborate with law enforcement agencies and blockchain analysis firms such as Merkle Science for additional data and investigative services.
Our team will continue to update this article on a periodic basis following continuing movements of the stolen funds.
