{"id":103549,"date":"2020-11-03T02:59:50","date_gmt":"2020-11-02T23:59:50","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/"},"modified":"2020-11-03T02:59:50","modified_gmt":"2020-11-02T23:59:50","slug":"certik-dissects-the-axion-network-incident-and-subsequent-price-crash","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/","title":{"rendered":"# CertiK dissects the Axion Network incident and subsequent price crash"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3ab674a9af1\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3ab674a9af1\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/#CertiK_staff_report_on_the_Axion_price_crash\" >CertiK staff report on the Axion price crash<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/#Planning\" >Planning<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/#Setup\" >Setup<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/#Execution\" >Execution<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/#Attack_Vector\" >Attack Vector<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong># CertiK dissects the Axion Network incident and subsequent price crash <\/strong>&#8221;<\/p>\n<div data-v-5a136f3a=\"\">On November 2, the Axion Network launched its new token, known as AXN. The project touted the asset as a new investment vehicle, claiming that it would be the most profitable blockchain of its kind to date. During the interim lead up to AXN&#8217;s airdrop, five separate teams allegedly examined the token&#8217;s code; industry darlings such as CertiK and Hacken were among those who conducted the audits.\u00a0<\/p>\n<p>A few short hours after the protocol&#8217;s freeclaim event, however, it became clear that something had gone awry. An unauthorized actor unexpectedly minted 79 billion AXN and unloaded them on the market. The price collapsed in excess of 99%, netting the attackers a cool 1300 ETH \u2014 worth an estimated $500K at time of publication.<\/p>\n<p>In the hours that followed, the team behind the Axion project encouraged participants stay away from trading or interacting with the asset, stating via the platform&#8217;s official telegram channel:<\/p>\n<blockquote><p>\u201cDo not buy AXN right now, do not interact with the dashboard,\u201d<\/p><\/blockquote>\n<p>The Axion Network&#8217;s <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> account continued to post updates, including that:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We&#8217;re still here. <\/p>\n<p>All the AXN\/HEX2T people were holding at the time of the exploit will be credited. <\/p>\n<p>We will launch a liquidity reward portal to build the liquidity back up as well.<\/p>\n<p>We are working hard to relaunch AXN as soon as possible.<\/p>\n<p>\u2014 Axion (@axion_network) <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/twitter.com\/axion_network\/status\/1323326951063392256?ref_src=twsrc%5Etfw\">November 2, 2020<\/a><\/p><\/blockquote>\n<p>Despite these reassurances, CertiK is stepping forward to offer the community a clearer explanation of what they perceive to have gone wrong, and insights into how similar attacks could be prevented in future. Cointelegraph reached out via email to &#8220;Jack Durden&#8221; who was described to us as the CEO of the Axion Network, but received no immediate response. No team members are listed in the project&#8217;s white paper or on the website, and the name &#8220;Jack Durden&#8221; is shared with the unseen narrator from the movie <em>Fight Club.<\/em><\/p>\n<p class=\"post-content__accent post-content__accent_small\">Note that the remainder of this article is reproduced word-for-word, courtesy of CertiK, as a public service to educate readers on the audit team&#8217;s understanding of what h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ened. Cointelegraph has not audited the code and the views stated hereafter are therefore exclusively those of CertiK.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"CertiK_staff_report_on_the_Axion_price_crash\"><\/span>CertiK staff report on the Axion price crash<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>On the 2nd of November 2020 at <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0xc2a4a11312384fb34ebd70ea4ae991848049a2688a67bbb2ea1924073ed089b4\">approximately 11:00 AM +UTC<\/a> a hacker managed to mint around ~80 billion AXN tokens by utilizing the unstake function of the Axion Staking contract.<\/p>\n<p>The hacker proceeded to then dump the tokens on the AXN Uniswap exchange for Ether, repeating this process until the Uniswap exchange was drained and the token price was driven to 0.<\/p>\n<p>We were informed of the incident within a few minutes of the attack occuring and our security analysts began assessing the situation immediately.<\/p>\n<p>We have concluded that the attack was likely planned from the inside, involving an injection of malicious code at the time the code was deployed by altering code from OpenZeppelin dependencies.<\/p>\n<p>The exploited function was not part of the audit we conducted as it was added after joining together Axion\u2019s code with OpenZeppelin\u2019s code via \u201cflattening\u201d and injecting it within OpenZeppelin\u2019s code prior to deployment.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Planning\"><\/span>Planning<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The hacker used anonymous funds procured from <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/tornado.cash\/\">tornado.cash<\/a> <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0x86f5bd9008f376c2ae1e6909a5c05e2db1609f595af42cbde09cd39025d9f563\/advanced\">the day before the hack occured<\/a>, hinting at a pre-meditated attack. Presumably to save some funds in case the attack fails, 2.1 Ether were re-circulated in tornado.cash right after the account received the funds.<\/p>\n<p>To finalize the attack setup, the hacker purchased around <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0x6b34b75aa924a2f44d6fb2a23624bf5705074cbc748106c32c90fb32c0ab4d14\">~700k HEX2T tokens<\/a> from the Uniswap exchange. However, these funds were ultimately not part of the attack and served as a smokescreen with regards to how the attack unfolded.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Setup\"><\/span>Setup<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The hacker began their way towards actuating their attack by creating an \u201cempty\u201d stake on the Staking contract of the Axion Network by invoking the stake function with a 0 amount and 1 day stake duration at <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0x5e5e09cb5ccad29f1e661f82fa85ed172c3b66c4b4922385e1e2192dc770e878\">approximately 09:00 AM +UTC<\/a>. This created a Session entry for the attacker with a 0 amount and 0 shares value at session ID 6.<\/p>\n<p>Afterwards, the attacker pre-approved an unlimited amount of AXN to the Uniswap exchange in anticipation of their attack succeeding. Consequently, they approved the NativeSwap contract of Axion for the amount of funds they intended to convert to AXN tokens.<\/p>\n<p>They invoked the deposit function of the NativeSwap contract at <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0xf2f74137d3215b956e194825354c693450a82854118a77b9318d9fdefcfbf875\">approximately 10:00 AM +UTC<\/a>, however the hacker never called the withdraw function of the contract to claim his swapped AXN as evident on the NativeSwap contract\u2019s swapTokenBalanceOf function. Afterwards, they made one more failed deposit function call before executing the attack.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Execution\"><\/span>Execution<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>These transactions were merely smokescreens for how the unstake attack was actually carried out. As the transactions that the attacker conducted resulted in no change to the sessionDataOf mapping, we concluded that this was a multi-address attack.<\/p>\n<p>We investigated the source code of the contract\u2019s at the GitHub repository that had been shared with us to identify a flaw that would cause the sessionDataOf mapping to be affected.<\/p>\n<p>We were unable to detect any assignments to it or members of it outside the stake functions which prompted us to question whether the deployment of the contracts was conducted properly.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Attack_Vector\"><\/span>Attack Vector<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>After analyzing the source code of the deployed Staking contract, we pinpointed a code injection in the AccessControl OpenZeppelin library between L665-L671 of the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/etherscan.io\/address\/0xcd5f8dcae34f889e3d9f93f0d281c2d920c46a3e#code\">deployed source code<\/a> of the Staking contract. The linked checkRole function is not part of <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/github.com\/OpenZeppelin\/openzeppelin-contracts\/blob\/v3.0.1\/contracts\/access\/AccessControl.sol\">the OpenZeppelin v3.0.1 implementation<\/a>, which was listed as a dependency in the project\u2019s GitHub repository.<\/p>\n<p>Within the checkRole function, the following assembly block exists:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2020-11\/8a04a8aa-cd78-42d9-822a-0a32f8fdc637.jpg\"\/><\/figure>\n<p>This particular function allows a specific address to conduct an arbitrary write to the contract based on the input variables it supplements via low-level calls. Annotated, the assembly block would look like this:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2020-11\/a99f124b-3a9b-4c20-b02d-5c25d79c988f.jpg\"\/><\/figure>\n<p>This function <strong>was injected at deployment<\/strong> as it does not exist in the OpenZeppelin AccessControl implementation, meaning that the members of the Axion Network that were involved with deploying the token acted maliciously.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The attack utilized code that was deliberately injected prior to the protocol\u2019s deployment. This incident <strong>bears no relation to the audits conducted by CertiK<\/strong> and the party responsible for the attack was a person that seemed to be involved with the deployment of the Axion Network contracts.<\/p>\n<p>As an additional degree of security, audit reports should standardise to include deployed smart contract addresses whose source code has been verified to be the same as the one that was audited.<\/p>\n<p>The <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/shield.certik.foundation\/\">Security Oracle<\/a> serves as an on-chain relayer of security intelligence, conducting security checks which include the verification of deployed smart contracts to match the audited versions.<\/p>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener noreferrer\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/certik-dissects-the-axion-network-incident-and-subsequent-price-crash\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# CertiK dissects the Axion Network incident and subsequent price crash &#8221; On November 2, the Axion Network launched its new token, known as AXN. The project touted the asset as a new investment vehicle, claiming that it would be the most profitable blockchain of its kind to date. During the interim lead up to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":103550,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2020-11\/8f95a64d-cfe3-4ed9-98bc-78b1564cf851.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74867,78261,10574,71006,70944,4965],"class_list":["post-103549","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-altcoin","tag-tech-analysis","tag-education","tag-fraud","tag-hackers","tag-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/103549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=103549"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/103549\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/103550"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=103549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=103549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=103549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}