Report on the KUN Mining Contract Attack

Dear QIAN Community members,

In response to last weekend's KUN mining contract attack, QIAN protocol initiator David Lei reported the following:

Late on the night of Nov. 8, 2020, David received feedback from the community about "an abnormal decrease in revenue from QUSD minting mining". On the morning of November 9, David commissioned QIAN community developers to investigate the cause. After troubleshooting, it was found that there is a problem with the permission setting of an internal calling interface of the KUN token mining contract, which was manually constructed and called by an attacker. The attacker falsely constructed a large number of mining weights on the vast majority of the KUN token mined, and thus improperly obtained the mining reward for most of the corresponding KUN tokens on November 8. This permissions vulnerability was exploited by the attackers, resulting in KUN token mining being influenced in both the ETH and BSC networks.

The current result is that the code vulnerability has been fixed in both the ETH and BSC environments, and the attacker's address has been placed on the blacklist for the KUN contract.

Incident impact: the attacker improperly obtained inflated revenue (approximately 8,000 KUN) from the minting mining by QIAN in the ETH environment on November 7, 2020. The attacker then exchanged 25,000 QUSD via Balancer, then USDC via S.Finance, and finally 55 ETH via Uniswap.

The illegitimate gains made by the attackers on BSC have not yet been withdrawn, and the KUN transfer privileges of the attacker's address has been frozen on the BSC chain.

As for the minting mining, the mining data has now been restored to normal values and the rewards have been displayed normally and can be withdrawn.

In addition, the attacker has deposited the improperly gained ETH to the Binance Exchange, and one enthusiastic member of the QIAN community has contacted Binance, which will assist the QIAN community to freeze and blacklist the attacker's address, we would like to thank Binance for their great support!

The QIAN community's important work on the follow-up to this hacking attack is as follows.

  1. David attempted to contact the attacker by means of a message attached to an Ethereum transfer to request the return of the attack gains. The attacker's address in the BSC chain had a transaction to withdraw BNB via Binance, and after Binance's investigation, the corresponding Binance account did not perform KYC, the attacker's address is as follows: 0x35d16cdedd9fb9eeeb074e510bad322322f26e64918.
    Community members who know the identity of the address holder could contact us through [email protected], and the QIAN governance committees will reward community members according to Bug Bounty reward levels based on the availability of the information they provide. We also inform the attacker here, the intelligence and skills should be respected, and if the attacker returns the gains, he or she will be rewarded with the highest level of the Bug Bounty Program, and the attackers will be recognized by the QIAN community members on his or her skills. However, if the attacker refuses to return the illegitimate gains, the QIAN community members will begin to investigate the identity of the attacker and reserves the right to take follow-up action.

  2. QIAN will soon launch the governance voting function, QIAN community members will be given the right to govern the project, you can use KUN tokens in Ethereum and BSC networks for token locking and participate in the QIP initiation, voting, and other governance processes.

  3. For users whose earnings were affected during the hack, David will delegate the community developers to airdrop the KUN tokens that should be allocated to the normal mining users.

  4. the KUN mining contract passed the YFII community audit before launch, unfortunately, the attack still happened after the community audit. Next, the developers of the QIAN protocol will invite professional security auditors to conduct a second round audit on the KUN mining smart contracts code, and timely release the audit report to ensure the stability and security of the main contract and mining contract.

David Lei

QIAN stablecoin protocol community initiator