Hello, r/CryptoCurrency subreddit.
First of all a little backstory:
I've invested the small amount into Bezant ICO back when the ICOs were a popular thing. It seemed to me back then like a good solid project with the strong team and all that. Then the ICO bubble bursted and Bezant has taken a nosedive price-vise, so it's currently sitting at the 96% percent loss. But it was my own choice and the amount was not that huge for me, so no complaints here.
It was and still is an ERC-20 token. Not too long ago (Summer 2019) they've introduced the BEP-2 version of their token to get listed on Binance DEX. They've listed there and then held this very limited token swap event in which you could swap the ERC-20 tokens to the BEP-2 version. This swap event lasted minutes before the the limit was reached. All went well, the price PnD'ed on the DEX and the life moved on.
Then on the 31st of January 2020 they've announced that they are opening the swap service again (this time for everyone and in both directions). And on the 3rd of February they open it up.
Then the next day (on the 4th of February) we get this note on the Official Bezant Announcement Channel on Telegram:
[Important Announcement] Temporary suspension of Bezant Token Swap Service
There was a hacking attack during the swap service operation, and there was a situation in which Bezant tokens were moved to a specific address.
Bezant dev team acted immediately after the attack and prevented the tokens from moving further.
Accordingly, the service is temporarily suspended to protect the assets of token holders. We will resume the service as soon as further security measures are taken.
We will provide an announcement once the service reopens.
<Summary>
- Hacking attack occurred on the ERC-20 wallet being used by the Bezant team to operate the swap service
- 35,488,558 BZNT of the customers' assets in the Wallet were transferred to a specific address
- Hacking Attack Time: 2020-02-03 15:20:32 (UTC)
- Actions taken: Bezant dev team locked the address the tokens were transferred to in order to prevent further movement
<Further Actions>
- The Bezant team will permanently lock the wallet that has received the customer assets from the hacking and burns the tokens.
- We are planning to operate the token swap service using tokens from the Bezant Foundation reserves equal to the amount of customers' assets burned.
Sorry for any inconvenience in using the service.
Bezant Team
As you can see, there was the hack. But I've noticed some inconsistencies of the claim here. How could they manage to lock the hacker's funds on the ETH blockchain? When I pointed out the inconsistencies of the team's claim right after the hack on the main Bezant Telegram chat, I was banned there.
Out of curiosity I asked admin what was the reason of the ban.
Here is the transcript of the first convo with Adam the Admin:
Adam the Bezant Chat Admin answering my questions regarding the ban
I was concerned and wanted to check if my claims were correct or not and I've started digging trough the blockchain to see this for myself.
Here is the part where I present many links to the ETH tracker. For TL;DR read the quoted sections.
Here is their swap wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x96dcbc8481b7f7b1871d3b6bef62417aad40d48d
They set it up on Jan-29-2020 04:38:32 PM +UTC and beef it up with funds:
Here is the initial TX going to that wallet: https://etherscan.io/tx/0xb4cd7c69819e777e413f2747b372049e30b122a93f12050b92356d85e43eef64
They likely test their services on Jan-29-2020 04:41:27 PM +UTC as there are two outgoing TXs involving BZNT: https://etherscan.io/tx/0xa73fdf275dafca3d4fb0b4e8eab8d4362fbc767c96af5c617b40ee816b068932and https://etherscan.io/tx/0xd355c5b215be812052b37cc27724a6819248be5c6ec0f0d7d832098713e24894
On Jan-30-2020 01:35:43 AM +UTC this TX happen: https://etherscan.io/tx/0x683dfea24b2cdb3b26c3822aac22d2f78d8d96ead1367c8341671a00efb39d36(which goes to Bithumb's user wallet and then Bithumb 6)
N.B.:
This is strange. Because two other testing TXs were directed to the regular wallets and not Bithumb's.
Plus this wallet has a very strange activity to it: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x1296b263f130612b910e84a393f845e9157815b7 and https://etherscan.io/address/0x1296b263f130612b910e84a393f845e9157815b7
Previous BZNT transfer was on Oct-08-2019 02:07:23 PM +UTC (more than 120 days ago)
And that's it! NO OUTGOING TXs until the token swap occurs and service opens!
So from Jan-30 to Feb-02 the wallet was NOT tested. But the incoming TXs are still there beefing up the wallet.
N.B.:
This is not good. They were testing the wallet 3 times only (one is likely malicious). Given the circumstances and the possibility of the team not being very big, there is no security expert to check the code for malicious activity and/or injected services.
Then on Feb-02-2020 04:10:11 PM +UTC, the day before the main event this TX occurs: https://etherscan.io/tx/0x829a264ebeddb00ee92f2255be369c9d0bd494831761e6afcf6553e124681a28
It goes to the regular wallet (likely the final testing TX before the swap opens up).
Now watch the hands:
As soon as the swap service opens we see 3 TXs going to Bithumb's User wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x120f8edf3d6c360e725691e2d992ca871f62d331
All of them are here:
- Feb-03-2020 10:08:01 AM +UTC - https://etherscan.io/tx/0xe0446f142758630328d88579c751e550bee3d1909169889e4ddc8ff080e22f39
- Feb-03-2020 10:19:15 AM +UTC - https://etherscan.io/tx/0x35ed1f813ec3ba82a2e1961bb6c0414d0cd2f135d673e097d1fa2c28686a9d4b
- Feb-03-2020 10:34:59 AM +UTC - https://etherscan.io/tx/0x42a7b42137caccb03d6dda9076089cca695f5b05cd80d4153aae670603ab1744
They are all within the limit of 100,000 Bezant tokens per submission
Then this TX interrupts our 0x120f…331 wallet: https://etherscan.io/tx/0xc25b6f95aedf9530440334b49241f34d048c48051756730fa445914ed898a538
Funds go to this wallet (likely the exchange, given the pattern of TXs): https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0xadd60c0888194986c2dad79a0ca178299002b573
Then 0x120f…331 is at it again, making 3 TXs:
- Feb-03-2020 10:50:28 AM +UTC - https://etherscan.io/tx/0x0658e68e0377cbc9cf0fe3d3f7ad8b6c11907adeeb2d59bbd12eccc6ff2527a6
- Feb-03-2020 10:58:48 AM +UTC - https://etherscan.io/tx/0xc8bd238c3f390dad8fbc255ab217a186425b2dd5d32c3c926250a88ad60eaa23
- Feb-03-2020 11:08:29 AM +UTC - https://etherscan.io/tx/0x6c085ffdb081131ee378274a2cda7f3e177f9d5943773c6311f9eb1f18e8e694
Then this TX: https://etherscan.io/tx/0xa475bccead3b6daa462ee995a8ee10082ae3406e8b9ddc0438cf8e57bb560266
It goes to another Bithumb's wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x05c1c8ba251930c373729b31d9d0b29d76cb1c0b
Then this TX: https://etherscan.io/tx/0x8f1afc08a6e84730936905fbbffdf48413cee731b265197b653301162a2626a3
It goes to this wallet (once again, likely the exchange): https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0xadd60c0888194986c2dad79a0ca178299002b573
Now look at the next 2 TXs from 0x33a…e77: https://etherscan.io/tx/0x87493da1adfd504b8b1b8cd39ebe5a620ce9fff10b3a392b4cdd676e93e9a6b4and https://etherscan.io/tx/0x54c664168937df66d4f454eb8d6907423e89ae4e93e441ef90fbf4c6c95a3dea
The wallet was another Bithumb's user: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x33a12b4945eba2bb59f61953cb4c00c9325e7e77
Then after this TX occur, the "hack" happens.
TX of the hack: https://etherscan.io/tx/0xc362fb3c1974ccabbbf65dd7aaf31867d8d96d684a14047316ef3bbbb5b29ab0
Timestamp: Feb-03-2020 03:20:32 PM +UTC
According to very limited official info, "35,488,558 BZNT of the customers' assets in the Wallet were transferred to a specific address" and "Bezant dev team locked the address the tokens were transferred to in order to prevent further movement".
Inconsistency No.1:
You can't lock the specific address on ETH blockchain. It's permissionless and censorship-resistant, so once the transfer is there, you can't do anything to stop it. You can't just lock the specific address because of the hack. Unless you (or the person/system) holding the private key does not sign the outgoing TXs.
After the "hack" there are still money in the wallet which is indicated by another 4 TXs:
- Feb-03-2020 03:21:01 PM +UTC - https://etherscan.io/tx/0x98006ed53b61aa80ca9fa3397ee1fb5db14f73f4d1a53c8a2755fda52dcc3390
- Feb-03-2020 03:24:19 PM +UTC - https://etherscan.io/tx/0x689ce365f553717234bc48db1e675cc46bea0164de9487a2cd4d0b8cdc00937a
- Feb-03-2020 03:27:35 PM +UTC - https://etherscan.io/tx/0x27a92775451af08b082ef69ce69d079b8243f78473712fb8a558fd5fded9a37b
- Feb-03-2020 04:58:10 PM +UTC - https://etherscan.io/tx/0x9b62ddf314352d3c904b590aea1e4c6fd3e665715b57642e182e4c01c055f43d
Inconsistency No.2:
Every hack on the blockchain involves the private key. Once the attacker has the key, he usually sweeps the wallet containing victim's funds (sweeping means transferring ALL of the remaining funds on the victim's wallet to the wallet under the control of the attacker to which the latter has its own private key). The victim's wallet becomes empty until the incoming TX comes. Then the attacker can sweep the victim's wallet again.
The last TX looks weird.
It transfers the remaining funds to another wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x7a7bc01a2c0784139e3af1b329b7adcf95a74425 (likely the second "unhacked" swap wallet)
Then they test this wallet by making two TXs:
- Feb-03-2020 06:00:13 PM +UTC - https://etherscan.io/tx/0xea19554c8ff5c450524b41d74321cc760ea0989dd9a16ad7d9a77b502d42aa9b
- Feb-03-2020 05:30:09 PM +UTC - https://etherscan.io/tx/0x7dc7e38c34eddc29126a5478b486de86ca21cdfd1ff25efe00f309cbb2d7fdba
The wallet to which the funds are credited is the same testing wallet who made the first two test TXs: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x67eed7125ca2b9d1859c4d824a675bd1fa45256d
Then 0x33a…e77 makes the last 4 TXs before the halt of the swap service:
- Feb-04-2020 03:32:03 AM +UTC - https://etherscan.io/tx/0xa4d92e792a0fcebcf2e1061a0476806ccfc727cc57b8c60c2e5a4ddf542f4cdb
- Feb-04-2020 03:37:22 AM +UTC - https://etherscan.io/tx/0x5104cda7b53ebfd09851c70d0e7955f40f52861d741877974bc29a015f760239
- Feb-04-2020 03:47:19 AM +UTC - https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x7a7bc01a2c0784139e3af1b329b7adcf95a74425
- Feb-04-2020 03:56:41 AM +UTC - https://etherscan.io/tx/0x98aca1b33d8b34ad73df9e05eee4944d0c1eda1b9e96497f6ecbc2bac7fddc4a
Inconsistency No.3:
The hack occurred on Feb-03-2020 03:20:32 PM +UTC. They've "locked the funds" and set up the second swap wallet to let the 0x33a…e77 finish their transfers and then halt the service. AND ONLY 0x33a…e77
All these inconsistencies made me doubt the nature of the hack. I've made another Telegram Account and presented all this evidence openly and publicly waiting for answers.
The admin replied that he would consult the team and summarised my complaints in the wrong way.
I've made a little TL;DR:
According to the official claims we have this:
- Hacking attack occurred on the ERC-20 wallet being used by the Bezant team to operate the swap service
- 35,488,558 BZNT of the customers' assets in the Wallet were transferred to a specific address
- Hacking Attack Time: 2020-02-03 15:20:32 (UTC)
- Actions taken: Bezant dev team locked the address the tokens were transferred to in order to prevent further movement
I've presented the view from the blockchain standpoint which contradicts some of these claims:
1. There is no evidence on the blockchain that this was a hack. The private key was NOT compromised as there is no sweep transaction and the wallet is still functional even after the "hacking" transaction occured.
2. The claim that the hacker has trasferred 35,488,558 BZNT to the specific wallet is false. The team transferred this amount as indicated by the timestamp of the "hacking" TX being the same as the "locking" TX.
3. The team's claim of the locking the hacker out is also false. You can't lock somebody else's ETH wallet.
As soon as this TL;DR gets published I am banned again with all my messages being deleted from the chat.
Here is the transcript of convo with Iris (another admin of the Bezant team):
Iris the Admin explains why the second account was banned.
So it's very clear that the admins are instructed to ban those who openly doubt the nature of the hack….
I'd like to point out that I've presented enough evidence on this case that contradicts the team's statement. The nature of the hack is still very inconsistent. The admins are instructed to ban people who point it out with facts instead of presenting counterargumens. The team members never showed up to clarify anything. These admins are not part of the Bezant team. They are from the Buzzperch PR team.
Don't wanna call anybody names but this is NOT OK.
So be careful out there.
![[link]](https://i.redd.it/7hqwqmc2jkf41.png){kind=link}
![[link]](https://i.imgur.com/feGN1F6.jpg){kind=link}
![[link]](https://i.redd.it/wp2el8woxnf41.jpg){kind=link}
![[link]](https://i.redd.it/uqtmsal6ilf41.jpg){kind=link}
No comments:
Post a Comment