Briefing of the hack on May 14 2021

Review

  1. On May 14, 2021 10:00:45 AM +UTC, the Chemix community and dev team noticed that the data on the Chemix page was abnormal, after technical investigation, we found that the assets in the main contract Vault had decreased significantly. Further investigation revealed several abnormal larger amount USDT, BUSD and BNB buyback.

  2. After the attack, Chemix dev team immediately stopped the global functions of QSD platform, the functions of QSD minting, redemption, buyback, recollateralization, DBQ, KBT to KUN exchange have all been stopped. Staking farming function is normally operating.

  3. After technical analysis, the onlyOwner permission check was omitted from the Valut.updateCollateralToken function of the Chemix contract, and the attacker directly called this function to change the oracle source of the BUSD, USDT, BNB, CAKE collaterals to the attacker's own oracle address, The attacker then used buyback function to drain a large amount of collateral by a small amount of KUN tokens via the Vault.buyback function.

  4. The attacker's account is 0x858ecda64afaaa0241f9ae1aa932b3a6e41c0406.

Losses

The Chemix project suffered following losses in this attack.

  • 740,280.92 BUSD + 35625.91 BUSD = 775,906.83 BUSD

  • 65537.2 USDT + 3109 USDT = 68,646.2 USDT

  • 101.779 BNB + 5.07 BNB = 106.84 BNB

Total crypto assets worth approximately 908,657 USD, all of which have now been transferred and washed by the attacker via renVM cross-chain service and Tornado.cash mixer.

Reaction

The system is currently lack of collateral assets and the Chemix development team is taking the following steps to recover the system in order to get it back to health and keep running:

  1. Set the recollateralization bonus to 1.5%;

  2. Cancel current limit condition of KBT to KUN exchange;

  3. Active all the system function after the security team CertiK completes the emergency code audit of Chemix.

In the short term, these reactions may have some impact on the platform's operations, however, as long as the project is recovered and keep running, we believe the value of Chemix will return in a short period.

Follow-ups

We strongly condemn this attack. The hacker's attack is a typical Internet crime, which caused heavy losses to the system. We will unite our community forces to track the flow of stolen funds and try to locate the identity of the attacker. The Chemix team will try all methods to recover the stolen funds. Now there has been some progress in the identification of attacker. If the attacker sees this announcement, please contact us in time and return the stolen funds.

The system is currently in a global lock down, our code repo is under a second round audit of CertiK and will be online once the audit is completed. The community developers will invite more professional security audit teams to conduct cross audits and release audit reports in time to ensure the stability and security of the whole Chemix system.

i am following up this subject.