Stake - REKT

They say the house always wins.

Not in crypto.

On-chain casino Stake lost over $41M from its hot wallets yesterday.

Suspicious transactions were initially flagged by Cyvers, with losses on mainnet of around $16M. Then came another round of transactions, with a further $25.6M lost on BSC and Polygon.

The platform took four and a half hours (or just three, according to Stake themselves) to publish an acknowledgment, despite managing to put out a tone-deaf promo tweet in the meantime.

However, the announcement fails to mention the transactions on Polygon, or address reports that user withdrawals are currently suspended.

After another four hours, the team tweeted again, informing users that deposits and withdrawals had resumed.

Surely $41M must be a drop in the ocean for Stake, with co-founder Bijan Tehrani earlier stating that there would be no impact on customer funds.

So why the delay, and the omissions, in official comms?

Credit: tayvano, PeckShield

Given that the transactions, which began at 12:48 UTC, were simple transfers, it appears that the private keys of Stake's hot wallets had been compromised.

The funds were drained as native tokens (6k ETH, 3M MATIC and 12k BNB, totalling $14M), a total of $22.3M in stablecoins, plus $650k of SHIB and $3.25M of Binance-pegged ETH.

Stake’s hot wallet addresses (on Ethereum, Polygon and BSC) are showing no transfers since approximately 3 hours after the draining, suggesting that users are indeed currently unable to withdraw.

Funds were drained into the following hacker addresses:

ETH: 0x3130662aece32f05753d00a7b95c0444150bcd3c

MATIC: 0xfe3f568d58919b14aff72bd3f14e6f55bec6c4e0

BSC: 0x4464e91002c63a623a8a218bd5dd1f041b61ec04

Any non-native assets were then swapped to native tokens and distributed to other addresses, see the full list here, and mainnet fund-flow diagram here.

Backed by Drake, and relentlessly shilled by Bitboy, Stake has grown by appealing to a largely normie audience.

And for washing scammers’ loot, of course… just like a real casino.

Rollbit may have been making more noise recently thanks to its pumping token, but Stake is clearly doing just fine, making enough to buy a $28M mansion last year.

Aussie crypto founders certainly know how to cash out.

But with Stake’s main fanboy Bitboy out of the picture so recently, the timing certainly seems coincidental.

Then again, anyone trading shitcoins via Metamask is probably not the type to pull off a multimillion dollar hack...

Stake may be a casino but, ultimately, this story is the same as a large number of CEX hacks we've covered over the last few years.

DeFi might have a reputation for incidents of this size, and looking at the leaderboard it'd be hard to argue that it was undeserved.

But centralised platforms should be held to a higher standard.

DeFi protocols are open books, where permissions, privileges, and source code are published so users can DYOR.

Where are CeFi's disclosures of who has access to private keys within their systems? Some may argue that this would pose a risk of individuals being targeted for phishing campaigns (or worse).

So should they overhaul their entire infrastructure?

Tens of millions held in hot wallets behind a single set of private keys...

How many more ‘coincidences’ can we take?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.