CertiK dissects the Axion Network incident and subsequent price crash

Published at: Nov. 2, 2020

On Nov. 2, the Axion Network launched its new token, known as AXN. The project touted the asset as a new investment vehicle, claiming that it would be the most profitable blockchain of its kind to date. During the interim leadup to AXN’s airdrop, five separate teams allegedly examined the token’s code; industry darlings such as CertiK and Hacken were among those who conducted the audits. 

A few short hours after the protocol’s freeclaim event, however, it became clear that something had gone awry. An unauthorized actor unexpectedly minted 79 billion AXN and unloaded them on the market. The price collapsed in excess of 99%, netting the attackers a cool 1300 ETH — worth an estimated $500,000 at time of publication.

In the hours that followed, the team behind the Axion project encouraged participants to stay away from trading or interacting with the asset, stating via the platform’s official Telegram channel:

“Do not buy AXN right now, do not interact with the dashboard,”

The Axion Network’s Twitter account continued to post updates, including that:

We're still here. All the AXN/HEX2T people were holding at the time of the exploit will be credited. We will launch a liquidity reward portal to build the liquidity back up as well.We are working hard to relaunch AXN as soon as possible.

— Axion (@axion_network) November 2, 2020

Despite these reassurances, CertiK is stepping forward to offer the community a clearer explanation of what they perceive to have gone wrong, and insights into how similar attacks could be prevented in future. Cointelegraph reached out via email to “Jack Durden,” who was described to us as the CEO of the Axion Network, but received no immediate response. No team members are listed in the project’s white paper or on the website, and the name “Jack Durden” is shared with the unseen narrator from the movie Fight Club.

Note that the remainder of this article is reproduced word-for-word, courtesy of CertiK, as a public service to educate readers on the audit team’s understanding of what happened. Cointelegraph has not audited the code and the views stated hereafter are therefore exclusively those of CertiK.

CertiK staff report on the Axion price crash

On the 2nd of November 2020 at approximately 11:00 AM +UTC a hacker managed to mint around ~80 billion AXN tokens by utilizing the unstake function of the Axion Staking contract.

The hacker proceeded to then dump the tokens on the AXN Uniswap exchange for Ether, repeating this process until the Uniswap exchange was drained and the token price was driven to 0.

We were informed of the incident within a few minutes of the attack occuring and our security analysts began assessing the situation immediately.

We have concluded that the attack was likely planned from the inside, involving an injection of malicious code at the time the code was deployed by altering code from OpenZeppelin dependencies.

The exploited function was not part of the audit we conducted as it was added after joining together Axion’s code with OpenZeppelin’s code via “flattening” and injecting it within OpenZeppelin’s code prior to deployment.

Planning

The hacker used anonymous funds procured from tornado.cash the day before the hack occured, hinting at a pre-meditated attack. Presumably to save some funds in case the attack fails, 2.1 Ether were re-circulated in tornado.cash right after the account received the funds.

To finalize the attack setup, the hacker purchased around ~700k HEX2T tokens from the Uniswap exchange. However, these funds were ultimately not part of the attack and served as a smokescreen with regards to how the attack unfolded.

Setup

The hacker began their way towards actuating their attack by creating an “empty” stake on the Staking contract of the Axion Network by invoking the stake function with a 0 amount and 1 day stake duration at approximately 09:00 AM +UTC. This created a Session entry for the attacker with a 0 amount and 0 shares value at session ID 6.

Afterwards, the attacker pre-approved an unlimited amount of AXN to the Uniswap exchange in anticipation of their attack succeeding. Consequently, they approved the NativeSwap contract of Axion for the amount of funds they intended to convert to AXN tokens.

They invoked the deposit function of the NativeSwap contract at approximately 10:00 AM +UTC, however the hacker never called the withdraw function of the contract to claim his swapped AXN as evident on the NativeSwap contract’s swapTokenBalanceOf function. Afterwards, they made one more failed deposit function call before executing the attack.

Execution

These transactions were merely smokescreens for how the unstake attack was actually carried out. As the transactions that the attacker conducted resulted in no change to the sessionDataOf mapping, we concluded that this was a multi-address attack.

We investigated the source code of the contract’s at the GitHub repository that had been shared with us to identify a flaw that would cause the sessionDataOf mapping to be affected.

We were unable to detect any assignments to it or members of it outside the stake functions which prompted us to question whether the deployment of the contracts was conducted properly.

Attack Vector

After analyzing the source code of the deployed Staking contract, we pinpointed a code injection in the AccessControl OpenZeppelin library between L665-L671 of the deployed source code of the Staking contract. The linked checkRole function is not part of the OpenZeppelin v3.0.1 implementation, which was listed as a dependency in the project’s GitHub repository.

Within the checkRole function, the following assembly block exists:

This particular function allows a specific address to conduct an arbitrary write to the contract based on the input variables it supplements via low-level calls. Annotated, the assembly block would look like this:

This function was injected at deployment as it does not exist in the OpenZeppelin AccessControl implementation, meaning that the members of the Axion Network that were involved with deploying the token acted maliciously.

Conclusion

The attack utilized code that was deliberately injected prior to the protocol’s deployment. This incident bears no relation to the audits conducted by CertiK and the party responsible for the attack was a person that seemed to be involved with the deployment of the Axion Network contracts.

As an additional degree of security, audit reports should standardise to include deployed smart contract addresses whose source code has been verified to be the same as the one that was audited.

The Security Oracle serves as an on-chain relayer of security intelligence, conducting security checks which include the verification of deployed smart contracts to match the audited versions.

Tags
Related Posts
Solana and Arbitrum knocked offline, while Ethereum evades attack
Surging Ethereum rival, Solana (SOL), has shed 15% of its value over the past 24 hours after suffering a denial-of-service disruption. On Tuesday at 12:38 pm UTC, Twitter account Solana Status announced that Solana’s mainnet beta had been suffering intermittent instability over a 45-minute period. Six hours after announcing the incident, Solana Status explained that a large increase in transaction load to 400,000 per second had overwhelmed the network, created a denial-of-service, and caused the network to start forking. 1/ Solana Mainnet Beta encountered a large increase in transaction load which peaked at 400,000 TPS. These transactions flooded the transaction …
Technology / Sept. 15, 2021
Are crypto and blockchain safe for kids, or should greater measures be put in place?
Crypto is going mainstream, and the world’s younger generation, in particular, is taking note. Cryptocurrency exchange Crypto.com recently predicted that crypto users worldwide could reach 1 billion by the end of 2022. Further findings show that Millennials — those between the ages of 26 and 41 — are turning to digital asset investment to build wealth. For example, a study conducted in 2021 by personal loan company Stilt found that, according to its user data, more than 94% of people who own crypto were between 18 and 40. Keeping children safe While the increased interest in cryptocurrency is notable, some …
Adoption / Feb. 26, 2022
Axie Infinity sees 'no signs of buyers' as AXS price tumbles 30% in two weeks
Axie Infinity (AXS) price has fallen by nearly 30% two weeks after losing $625 million to a hacking incident involving its play-to-earn gaming platform's underlying blockchain, the Ronin Network. AXS/USD dropped to $46.69 on Monday, its lowest level since March 16, signaling a dampening buying sentiment among traders and investors following the hacking incident. Independent market analyst TJ asserted that there is "no sign of buyers" even with the price entering areas with a history of attracting accumulators. For instance, AXS broke below the demand zone that TJ highlighted as a potential inflection point during the weekend, a move that …
Markets / April 11, 2022
DOT rallies 12% in a day as Polkadot gears up to solve a major blockchain hacking problem
Polkadot (DOT) price ticked higher in the past 24 hours on anticipations that its new cross-chain communications protocol would solve a long-standing problem in the blockchain sector. DOT price gains 12% on XCM launch Bulls pushed DOT's price to $16.44 on May 5 from $14.72 a day before, gaining a little over 12% as they assessed the launch of XCM, a messaging system that allows parachains — individual blockchains that operate in parallel inside the Polkadot ecosystem — to communicate with each other. As Cointelegraph reported, future updates in the XCM protocol would see parachains exchanging messages without relying on …
Technology / May 5, 2022
Enough of the Bored Apes — they’re bad for NFTs
It’s time to move on from the Bored Ape Yacht Club. They’re bad for nonfungible tokens (NFTs). They give critics ammo and distract from the technology, which is where the real value lies. For those on the outside looking in, NFTs are nothing more than overpriced monkey JPEGs. Or whichever choice of animated animal profile picture is in the firing line. NFTs, of course, are much more than that. But, because of Bored Apes, and the countless imitations they’ve spawned, NFTs are getting a bad rep. “Bubble,” “money laundering” and “scams” are all terminology associated by critics with the new …
Decentralization / Sept. 25, 2022