What a way to start the week.
This morning, Mixin Network announced a loss of $200M... to an attack which had occurred on Saturday.
A few hours later, the Hong Kong-based project informed users via livestream that just 50% of their assets were guaranteed, according to The Block. An english summary of the livestream (promised in the initial announcement) is yet to be published.
News of a relatively unheard-of platform losing nine figures brings back memories of Poly Network’s leaderboard-topping incident in August 2021. And just goes to demonstrate the vast disconnect between crypto communities across the globe.
Mixin Network claims to be “decentralised”, but has blamed the losses on a hacked third-party database.
Something doesn’t add up...
The details of precisely how funds were drained have not yet been disclosed.
But Mixin wasted no time in shifting the blame:
the database of Mixin Network's cloud service provider was attacked by hackers, resulting in the loss of some assets on the mainnet
The transactions appear to be simple transfers, which would suggest a leak of Mixin users’ private keys held on the cloud service.
BlockSec also believe that some of the addresses drained may have been Mixin’s hot wallets.
The stolen funds accounted for so far are comprised of ETH, USDT (swapped to unfreeable DAI) and BTC, with not an illiquid shitcoin in sight.
The announcement states that Mixin is in contact with Google (presumably the ‘service provider’ in question) and SlowMist to aid in the investigation.
Attacker addresses (identified so far, with approx $50M still to be accounted for):
0x52E86988bd07447C596e9B0C7765F8500113104c - Received 60k ETH ($94M)
0x3B5fb9d9da3546e9CE6E5AA3CCEca14C8D20041e - Received USDT, swapped to DAI ($23.5M)
0xB5d631A74AD9c9efcF96d6e9e2fAbcB75C67Eafa - Used to disperse ETH to victim addresses for gas to transfer USDT
bc1qq7uefmz6nng5c4dzs9mwrxxyh9sxg5cjg85hes - Received 891 BTC ($23M)
As assets currently remain in the drainer wallets, there may be some hope for Mixin’s request for funds to be returned (with a $20M bounty), though the swapping of UDST to DAI is not a good sign.
If it does turn out to be Lazarus, the funds will soon be getting a good Mixin’…
By blaming a third-party, as Nansen also did on Friday, Mixin is attempting to hide from one of crypto’s most important tenets: accountability.
Using a web2 service provider for sensitive on-chain data goes against everything about the origins of this industry.
But that's the point.
This was a hack, not an exploit.
Yet another case of legacy infrastructure failing, yet another reason to be working towards a more secure future…
As the darkest days of bear market apathy grind on, it becomes ever-harder to stay motivated.
But for those building genuine, robust protocols for a future true to crypto’s original ideals, remember:
decentralization doesnt matter
until it really really does
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
OG decentralised exchange KyberSwap got rekt across six chains, for a total loss of over $48M. Perhaps there’s some good news in store for KyberSwap and LPs, or is the attacker just toying with us?
It's been a rough few weeks for Justin Sun. Today, another $99M went missing as HECO Bridge and HTX (again) were hacked in short succession. His Excellency makes sure to never stay out of the spotlight for long…
Deja-vu, anyone? Market maker Kronos Research lost $26M over the weekend, leading to liquidity issues on closely-associated CEX Woo X. Where have we heard that before?