Review
-
On May 14, 2021 10:00:45 AM +UTC, the QIAN community and dev team noticed that the data on the QIAN V2 page was abnormal, after technical investigation, we found that the assets in the main contract
Vaulthad decreased significantly. Further investigation revealed several abnormal larger amount USDT, BUSD and BNB buyback. -
After the attack, QIAN dev team immediately stopped the global functions of QSD platform, the functions of QSD minting, redemption, buyback, recollateralization, DBQ, KBT to KUN exchange have all been stopped. Staking farming function is normally operating.
-
After technical analysis, the onlyOwner permission check was omitted from the
Valut.updateCollateralTokenfunction of the QIAN V2 contract, and the attacker directly called this function to change the oracle source of the BUSD, USDT, BNB, CAKE collaterals to the attacker's own oracle address, The attacker then used buyback function to drain a large amount of collateral by a small amount ofKUNtokens via theVault.buybackfunction. -
The attacker's account is
0x858ecda64afaaa0241f9ae1aa932b3a6e41c0406.
Losses
The QIAN V2 project suffered following losses in this attack.
-
740,280.92 BUSD + 35625.91 BUSD = 775,906.83 BUSD
-
65537.2 USDT + 3109 USDT = 68,646.2 USDT
-
101.779 BNB + 5.07 BNB = 106.84 BNB
Total crypto assets worth approximately 908,657 USD, all of which have now been transferred and washed by the attacker via renVM cross-chain service and Tornado.cash mixer.
Reaction
The system is currently lack of collateral assets and the QIAN development team is taking the following steps to recover the system in order to get it back to health and keep running:
-
Set the recollateralization bonus to 1.5%;
-
Cancel current limit condition of KBT to KUN exchange;
-
Active all the system function after the security team CertiK completes the emergency code audit of QIAN V2.
In the short term, these reactions may have some impact on the platform's operations, however, as long as the project is recovered and keep running, we believe the value of QIAN V2 will return in a short period.
Follow-ups
We strongly condemn this attack. The hacker's attack is a typical Internet crime, which caused heavy losses to the system. We will unite our community forces to track the flow of stolen funds and try to locate the identity of the attacker. The QIAN team will try all methods to recover the stolen funds. Now there has been some progress in the identification of attacker. If the attacker sees this announcement, please contact us in time and return the stolen funds.
The system is currently in a global lock down, our code repo is under a second round audit of CertiK and will be online once the audit is completed. The community developers will invite more professional security audit teams to conduct cross audits and release audit reports in time to ensure the stability and security of the whole QIAN V2 system.