Statemind saves Avalanche and others half a billion in crypto
Exploits have regularly plagued the blockchain industry and DeFi protocols like never before. Almost every day that passes there is another horror story about a well-known protocol being drained of funds by hackers through an exploit that could have been caught beforehand. Even worse is the impact the news could have on the community of the affected cryptocurrency, which could crash in value and lose valuable support.
This is exactly why a critical vulnerability and an anonymous white hat tipster captivated the crypto community recently and led to a massive public investigation on Twitter between top blockchain developers. But who was really behind the discovery that saved the cryptocurrency industry a combined value of more than $650 million?
Here are the details of the incident and how it fed into a widespread search for the blockchain security auditing firm behind the discovery. We will also reveal exactly who the heroes are.
Why Crypto Twitter launched an anonymous tipster investigation
New technologies are put through rigorous stress tests using the public as beta testers. Although more often than not the development team has the purest of intentions, even the smallest vulnerability can be exploited, leaving no stone unturned when it comes to clean and secure code.
Yet it’s impossible to read crypto media headlines without stumbling upon story after story of millions of dollars lost in a matter of moments. Affected projects may struggle to recover, and society suffers as a result. Developers usually stand firm and deliver the bad news to the community about exactly what happened and why, then begrudgingly receive the backlash and fallout.
But a recent example trending on Twitter was one of those rare happy endings that has captured the heart of the crypto community. An anonymous tipster saved several top crypto protocols – such as Avalanche (AVAX), Abracadabra (MIM), SushiSwap (SUSHI) and others – as much as half a billion dollars in value.
White Hat Discovery leads to more than $650 million in cryptocurrency savings
Estimated damages and potential casualties include Avalanche at approximately $350 million; Abracadabra worth around $300 million MIM tokens and another $3 million in user funds; Nereus Finance with nearly $60 million in NXUSD tokens; and approximately $100,000 in funds from SUSHI loans. There is also an unknown impact related to the Boba Network.
Given the massive amount of funds being kept safe, developers of the affected protocols took to Twitter in search of the anonymous tipster who sent their discovery to ImmuneFi. It began with SushiSwap core developer Matthew Lilley, who tweeted about the topic and got the investigation underway.
Kashi Markets on Avalanche was white-hacked following the discovery of an attack vector introduced by the Native Asset Call precompilation on Avalanche. The Sushi team was able to validate the report, which was submitted by a whitehacker on @immunefi, by creating a simple PoC. 1/6
โ I’m software ๐ฆ๐ (@MatthewLilley) 8 September 2022
In the hours that followed, a domino effect of developers began to come forward and disclose the vulnerability and work on an immediate fix.
1/๐ง๐ผโโ๏ธ!
We have been notified of a possible vulnerability in our Avalanche pots.
No user assets have been lost, the vulnerability has now been patched and all security is ensured.
๐ Read more about our post mortem here๐๐ป
โ ๐ง๐ผโโ๏ธ (@MIM_Spell) 8 September 2022
Avalanche, Abracadabra and others emerge with the humble hero
It wasn’t until just today that Ava Labs engineering manager Patrick O’Grady took to Twitter to express thanks to Statemind, which later came forward as the blockchain security firm for broadly discovering the vulnerability.
๐๐@statemindio emerged as the anonymous white hat who tipped off the teams involved:
Thanks again for all your work in alerting the community to the issue! ๐ซก
โ Patrick “The Faucet” O’Grady ๐บ (@_patrickogrady) 8 September 2022
The official Abracadabra Twitter account also expressed its deep gratitude for bringing attention to the critical vulnerability and saving the crypto community from yet another horror story.
๐ง๐ผโโ๏ธ!
We would like to extend a big thank you to the audit company @statemindio for reporting the vulnerability mentioned in our last announcement. ๐ฎ
Thanks to your report, we have managed to secure all the funds and cooperate with @avalancheavax to patch the vulnerability!๐ฅ
โ ๐ง๐ผโโ๏ธ (@MIM_Spell) 8 September 2022
The vulnerabilities were fixed in record time. Both Avalanche and Abracadabra have shared a post mortem about the situation. Other affected blockchains are likely to follow suit and provide transparency to the community at large.
Who is the team behind The White Hat Heroics?
Who exactly is the team behind the discovery? We got in touch with a blogger who also works with the company to learn more.
I know the anonymous hackers who exposed the exploit to @avalancheavax @MIM_Stav & @SushiSwap
saves 3 million dollars in user funds and 300 million $MIM tokens
if you’re a crypto journalist looking for comments/exclusive details from the team that found the exploit, let me know ๐
โ notEezzy ๐งธ (@notEezzy) 8 September 2022
Blockchain security auditing firm Statemind reviewed the code of ten top blockchain protocols looking for custom precompilers that could be potentially dangerous. Past experience, the blockchain auditing firm explained, has shown that custom precompiles can become increasingly dangerous in the right environment.
According to the research, Avalanche and others had a precompile “that allowed arbitrary calls to be routed through the precompile that forwards msg.sender.” For some protocols, this meant that anyone could call on behalf of the protocol’s contract.
Statemind.io is a leading blockchain security audit company with over 100,000 LoC of Solidity and Vyper experience. This vast experience has led to more than $10B in TVL secured and the firm placed 14th in Paradigm CTF 2022. Thanks to Statemind, all the “funds are SAFU” and the cryptocurrency industry has a new white hat hero.
