Mixin Network - REKT

What a way to start the week.

This morning, Mixin Network announced a loss of $200M... to an attack which had occurred on Saturday.

A few hours later, the Hong Kong-based project informed users via livestream that just 50% of their assets were guaranteed, according to The Block. An english summary of the livestream (promised in the initial announcement) is yet to be published.

News of a relatively unheard-of platform losing nine figures brings back memories of Poly Network’s leaderboard-topping incident in August 2021. And just goes to demonstrate the vast disconnect between crypto communities across the globe.

Mixin Network claims to be “decentralised”, but has blamed the losses on a hacked third-party database.

Something doesn’t add up...

The details of precisely how funds were drained have not yet been disclosed.

But Mixin wasted no time in shifting the blame:

the database of Mixin Network's cloud service provider was attacked by hackers, resulting in the loss of some assets on the mainnet

The transactions appear to be simple transfers, which would suggest a leak of Mixin users’ private keys held on the cloud service.

BlockSec also believe that some of the addresses drained may have been Mixin’s hot wallets.

The stolen funds accounted for so far are comprised of ETH, USDT (swapped to unfreeable DAI) and BTC, with not an illiquid shitcoin in sight.

The announcement states that Mixin is in contact with Google (presumably the ‘service provider’ in question) and SlowMist to aid in the investigation.

Attacker addresses (identified so far, with approx $50M still to be accounted for):

0x52E86988bd07447C596e9B0C7765F8500113104c - Received 60k ETH ($94M)

0x3B5fb9d9da3546e9CE6E5AA3CCEca14C8D20041e - Received USDT, swapped to DAI ($23.5M)

0xB5d631A74AD9c9efcF96d6e9e2fAbcB75C67Eafa - Used to disperse ETH to victim addresses for gas to transfer USDT

bc1qq7uefmz6nng5c4dzs9mwrxxyh9sxg5cjg85hes - Received 891 BTC ($23M)

If the $200M figure stated by Mixin is accurate, it would make this incident the biggest hack of 2023 so far, knocking March’s $197M exploit of Euler Finance (funds later returned) off the top spot.

As assets currently remain in the drainer wallets, there may be some hope for Mixin’s request for funds to be returned (with a $20M bounty), though the swapping of UDST to DAI is not a good sign.

This case has many of the hallmarks of a Lazarus heist, who have been plenty busy lately.

If it does turn out to be Lazarus, the funds will soon be getting a good Mixin’

By blaming a third-party, as Nansen also did on Friday, Mixin is attempting to hide from one of crypto’s most important tenets: accountability.

Using a web2 service provider for sensitive on-chain data goes against everything about the origins of this industry.

And given LayerZero’s latest partnership, they may have some reassuring to do…

With a constant stream of hacks, leaks and scams, flooding the timeline, it begins to feel like working in an online minefield.

But that's the point.

This was a hack, not an exploit.

Yet another case of legacy infrastructure failing, yet another reason to be working towards a more secure future…

As the darkest days of bear market apathy grind on, it becomes ever-harder to stay motivated.

But for those building genuine, robust protocols for a future true to crypto’s original ideals, remember:

decentralization doesnt matter

until it really really does

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.