SlowMist MistTrack: Decentralized protocol BXH was stolen for more than $130 million, and part of the funds have been transferred to Ethereum and BTC

On October 30, 2021, the BXH project, a decentralized trading protocol on the Binance Smart Chain (BSC), was attacked . At present, the initial hacker profit address (BSC: 0x48c94305bddfd80c6f4076963866d968cac27d79) has transferred 4,000 ETH from the BSC chain to the ETH chain, and then exchanged 300 BTCB for renBTC across the chain to the address (1Jw...9oU and 1Fr...Vow) , and about 130 million US dollars were stolen.

The BXH team stated that the assets on Huobi Ecosystem Chain (Heco), OEC and Ethereum are in a safe state, but for security reasons, the official has temporarily suspended deposit and withdrawal services. SlowMist AML will continue to monitor the transfer of stolen funds, blacklist all wallet addresses controlled by attackers, and remind exchanges and wallets to strengthen address monitoring to prevent related malicious funds from flowing into the platform.

According to the analysis of the SlowMist security team, the hacker deployed the attack contract 0x8877 ​​at 13:00 (UTC) on the 27th, and then granted the management rights of the attack contract 0x8877 ​​through grantRole at 08:00 (UTC) on the 29th to the BXH project management wallet address 0x5614. At 03:00 (UTC) on the 30th, the attacker transferred the assets under his management from the BXH strategy pool fund library through the permissions of the attack contract 0x8877. At 04:00 (UTC) on the 30th, 0x5614 suspended the fund library.

Therefore, the theft of BXH this time was due to the malicious modification of its management authority, which led to the attacker using this authority to transfer project assets.