Phantasma has been attacked – and is still standing tall!

The Incident – A Targeted Attack

On April 28th, a second attack perpetrated by the same entity responsible for the April 2nd BSC exploit took place on the Phantasma mainnet. The attack appears to have been timed to coincide with the “All clear” announcement after the previous attack. There is a transactional link connecting the BSC attacker to the current attack:

Within 20 minutes of having announced that migration of tokens to new token contracts on BSC and Ethereum was live, the attacker minted 10M SOUL through a code exploit. Of this, 4M SOUL was swapped to the Neo blockchain (see appendix for details). 1,293,586 SOUL was distributed to a total of 17 different Kucoin deposit addresses and immediately sold, while the remaining 2,706,414 SOUL is stored in a private wallet on Neo. It’s important to note that, during this attack, no token holder’s wallets were compromised and no token holder’s funds were stolen.

Initial Mitigation

Disabling Cross-chain swaps and entering read-only

Being on high alert after recent events and monitoring on-chain and cross-chain activity, the incident was swiftly detected, and within approximately 10 minutes of the malicious exploit all Phantasma nodes had entered read-only mode while cross-chain swaps had been disabled, ensuring that the attacker could not move additional funds. 

Centralized Exchanges

At the same time, our Security Response Team reached out to all centralized exchanges (Kucoin, Gate, Hotbit, Bitbns, BKEX, Coinspot) to halt deposits of SOUL providing the exchanges with proof of the exploit and a complete list of associated wallet addresses for the exchanges to enable them to immediately suspend the associated user accounts. 

Amount Sold

By the time all exchanges had cooperated and closed deposits, the mentioned 1,293,586 SOUL had been sold through a multitude of separate Kucoin accounts. All 17 addresses used by the attacker to offload exploit tokens have had their associated user accounts frozen by Kucoin.

Law Enforcement

A police report with evidence of the exploit has been filed, and our long standing relationship with Kucoin has ensured that Kucoin fully cooperates to ensure that the attacker cannot withdraw any ill-gotten gains that had not already been removed from the exchange prior to the user accounts being frozen. Considering the dual attacks executed by a single entity, and the timing of the second attack to take place near immediately after the resolution of the first, there is every reason to believe that the attacker’s motive is to attempt to cause maximum damage to Phantasma’s reputation. Whether this is due to feeling threatened by Phantasma’s capabilities and potential in the blockchain technology sector – or if the attacker simply thrives on causing disruption – remains under investigation. We are cautiously optimistic that, based on the bread crumbs that have been left behind, we will be able to identify the persons behind the attacks. We are closely working with forensic experts, exchanges, and law enforcement agencies to close the net. If anyone provides material information to the team which results in bringing the perpetrators to justice, they will receive 50,000 SOUL (one Soul Master) as a reward. Please contact [email protected] if you have any information that might be of importance. If you wish, you can remain anonymous.

We ask all our valued community members and token holders to stay alert in our social channels and to notify our community admins if you experience newcomers or members with a suspicious posting history attempting to fuel tension and sow discord.  Also, please be vigilant and be aware that there are many scammers trying to prey on community members by DM’ing (admins will never DM first), creating false Telegram channels and other fake social media accounts.

Battle plan

The Vulnerability

The vulnerability was identified within 30 minutes by analyzing the malicious transactions and has been fully remedied. 

Auditing

Additional external auditors and blockchain experts have been engaged and have joined the forensic analysis of the Phantasma codebase to conduct a full audit.

Phantasma aims to ensure that there are no other vulnerabilities present in the codebase, and if there are, to ensure that they are identified, evaluated, and remedied. 

We aim to render the attacker powerless and prove that Phantasma and its community stand together in the face of adversity. Challenges make us stronger, and this attack is part of the battle testing that enables Phantasma to evolve and provide a hardened, secure network for the dApps and games being developed on our platform.

Neo based SOUL

There will be a new token contract deployed on Neo, with distribution of new SOUL to token holders. This will render the attacker’s remaining funds on Neo worthless.

Tracking

The team will continue to analyze transaction data on multiple chains. In the event provable connections to exchange wallets can be found, these will be supplied to law enforcement and exchanges to aid in identifying the attacker.

Law Enforcement

Phantasma has already supplied law enforcement with all current information about the attack, and will continue to do so as new evidence emerges.

Kucoin’s Suspended Accounts

We remain in close communication with Kucoin, and will proceed to retrieve any funds present in the attacker’s 17 accounts through due process.

Centralized Exchanges

As all centralized exchanges have complied with Phantasma’s request to suspend deposits, no more exploit tokens can reach these exchanges. Thus, there is no need to suspend trading and it will remain open.

The Attacker’s Remaining Funds

As the remaining 2,706,414 SOUL in the attacker’s wallet is landlocked on Neo with no exchange available to deposit to, there is no risk attached to these funds and they are for all intents and purposes already neutralized. Through the audit and following code changes the attacker’s remaining funds on the Phantasma mainnet will likewise be neutralized.

Binance Smart Chain and Ethereum

The migration process to new token contracts on Ethereum and Binance Smart Chain remains open, as well as trading on decentralized exchanges.

Cross-chain Swaps

With the Phantasma nodes in read-only during code auditing and mitigation of the incident, cross-chain swaps will remain disabled.

Closing Remarks

While the recent incidents are disturbing and upsetting, every entity, whether it be a person, business or government, is vulnerable to hacks no matter how well protected. Blockchains are no exception to this. A number of blockchains with much larger market caps than Phantasma have been and will be victims of hacks. While protection is the first line of defense, the responsiveness of the team after an attack is what sets Phantasma apart. Where it took others hours and in some instances days to become aware of the attack and take action to mitigate the damage, it took the Security Response Team at Phantasma only 10 minutes to set all Phantasma network nodes to read-only mode and disable cross-chain swaps ensuring that the attacker could not move additional funds. Although attacks are unpredictable, we take security very seriously and pride ourselves on a solid track record which should give our partners and token holders confidence that their affairs are in good hands. We will remain transparent and communicative as the mitigation process unfolds. Rest assured that we are treating this matter with the utmost seriousness and that all necessary steps will be taken to ensure a full resolution enabling Phantasma to reach its full potential.

Your Phantasma Team

Appendix: The token trail from exploit to Kucoin.

  1. Tokens were minted by unauthorised address:
    10M SOUL: https://explorer.phantasma.info/tx/6678EEEEA5E47FADD9CD1DCACAED9D27C0A728771C1D12B97FB463E95EF25AE7
    10M GAS: https://explorer.phantasma.info/tx/AFFA14BB8D6781E7471D1C2F6202F75AE792793C7E3D044921408B37DB61C1F0
  2. Transfer of funds: Transfer 1M SOUL out through a cross chain swap to Neo https://explorer.phantasma.info/tx/37EF62D4C7FFB1237535C08518552ECB727B36D8A36844348EF278B44DD36F9F Settlement transaction: https://explorer.phantasma.info/tx/297906BBC3C50832956B5C672E3C5BDE0467FC192D1955BBCED16C3E7D2EF28F
  3. Transfer 3M SOUL out through a cross chain swap to Neo: https://explorer.phantasma.info/tx/C91276B4062D3DC22678E2ACC922EF495E098051FF4AEAF6A763EF667FD498E8 Settlement Transaction: https://explorer.phantasma.info/tx/F9D0F75F88E987D6921C8DD2D7F2D8C2A8130F48618D5FB9C415E02CD4FD705D
    Arrival of 1M SOUL on Neo: https://neotube.io/transaction/0x6f6be5f3831ceb3be2ea21c030bf122c4db825a9e7e629654a89d413aa8beef6
    Arrival of 3M SOUL on Neo:
    https://neotube.io/transaction/0xe5b4e247eff5a59171edb0e8ce168c27c4af995d2272cde3946d6515f7f232a3
  4. Transfer to Kucoin Exchange :

60k SOUL: https://neotube.io/transaction/0x1a3f1a4860f0f833f961d914c09cd8d12b16709881594791f3dca99d95430a32

70k SOUL: https://neotube.io/transaction/0x4799738e5cca5ecb6d9b0e8357110d06725bdbdd6ba790c2e133c4b9dbd9e138

60k SOUL: https://neotube.io/transaction/0x2d9a23e16460107c9a845174b8344e3b4c13aa5cfa484fd0505a3d5b45b56f4d

80k SOUL: https://neotube.io/transaction/0xbff130ff8a85e72d4d5e290675dcbebc5175ec2a7958d91f5dfc5dd49d866c8d

80k SOUL: https://neotube.io/transaction/0xb3f1f2b74de45f34d26e628f6b6907710005712cee290a6e057fda964a3b4f1b

80k SOUL: https://neotube.io/transaction/0x58a2f13f7a21396efedacdc3d68000aea9cce3f88a8ef586826089b76f33e31b

66.666k SOUL: https://neotube.io/transaction/0x8b4e4fdc6cdc72eaea90eef4e61a5eeec7f5b6571090000d2c96ad8da2157105

71.231k SOUL: https://neotube.io/transaction/0x3ea7652be3cb5c351034b751d6b345a7b080326017c1bb54e0dd49067301fba9

80k SOUL: https://neotube.io/transaction/0xe0042705b3c3d4b4f5866c23dd2f0734992545e7ef121c1cd4c55b9bb30d9aee

68.686k SOUL: https://neotube.io/transaction/0x5661ccbc39d2e7d334118a1d331bf9499fb395465f5488fd514e22e2462e5571

Transfer of remainder (3.283414M SOUL) to a different wallet -> AWExE5E3rbMoN1kdxoqGoxeDjor5m5gGc2: https://neotube.io/transaction/0x228c4297aed4384e0c111512650a90bfd8a4fd0136644c8e4dea1a3a7305d8f1

Transfer from second wallet to Exchange:

80k SOUL: https://neotube.io/transaction/0xb5d58f223bc793a1d762ab016af76551357fdb982af1d8017b3830374cf130db

81k SOUL: https://neotube.io/transaction/0x04876774336173ed4879f7319fb23da33e2bd02a337be41e42c60adb9f5d9157

100k SOUL: https://neotube.io/transaction/0xd9063b9230cfc5dac3a88a7df8334501538e28552881133093a8d8fe48cad155

68k SOUL: https://neotube.io/transaction/0x1e167f897534968a7dee4b7b2ca948ad2786ab9ef7b9b6b10b4a045f9986b994

81k SOUL: https://neotube.io/transaction/0x271aa15d8b01824a97d5cae24eb4cbfa6101459172ca49b0f5a1ff57b2f46f58

82k SOUL: https://neotube.io/transaction/0xb4fc1fefbc5eb3702792b5f1e7265fcdf43a7a7712faabbe39f8a9d024c3091b

85k SOUL: https://neotube.io/transaction/0x32f6a224892197a96a09bc5ccfbf1862ee437f660e64f1db8cdff5ed6f19e959

As of now AWExE5E3rbMoN1kdxoqGoxeDjor5m5gGc2 still holds 2,596,314 SOUL.