A comprehensive restoration of a community-led "crackdown" on a DeFi heist

Author: Eric, Chain News

Last week was a turbulent week for the DeFi world, with projects such as Poly Network, the decentralized pension protocol Punk Protocol, the lending protocol Neko on BSC, and the decentralized exchange Ref.Finance in the NEAR ecosystem being successively attacked by hackers, with losses ranging from millions to hundreds of millions. Some attackers returned the funds, but there are still some hackers who remain at large.

Perhaps as the hacker who stole $600 million from Poly Network said, there is no perfect system in this world, only vulnerabilities that we have yet to discover. If decentralized projects are attacked by hackers due to code logic vulnerabilities, it can still be considered a growing pain on the development path. However, projects that are inherently designed to siphon off assets are outright crimes.

StableMagnet on BSC ------ A Stablecoin DeFi Project

The story begins with a DeFi project called StableMagnet on the Binance Smart Chain (BSC).

In the first half of this year, the performance bottleneck of Ethereum triggered a flow overflow amid the DeFi boom, while BSC, backed by Binance, rapidly seized market share due to its excellent user base and on-chain experience, especially during a time when Ethereum's scaling solutions were not yet complete. However, the popularity of BSC also attracted a large number of speculative project teams, who deployed DeFi projects with liquidity mining rewards to attract users, commonly referred to as "shitcoins." These "shitcoins" were never intended for long-term operation; they aimed to attract some gamblers with early high yields, inflate the project token price, and then dump the reserved tokens held by the project team for profit.

It can be said that these types of projects carry high risks; you never know when the project team will pull the rug, and some may even deliberately exploit reserved vulnerabilities to steal investors' assets and then vanish without a trace.

And StableMagnet is one of the latter.

According to descriptions from victims of this project, StableMagnet was mentioned in promotional channels such as BSC Daily, attracting some attention from BSC users, but it did not create a significant stir in ordinary communities. To most people, it seemed like just another ordinary "shitcoin" project. However, members of the community with code review capabilities concluded after examining the project's code: there are no obvious vulnerabilities in the project's code, or at least, even if the project team had malicious intent, they could not smoothly transfer assets from the contract.

Due to the perceived safety of its code and its high APY, this project spread among a small group of scientists. To further ensure project security, the project team even proactively set a contract time lock. Seeing that the project team had taken further security measures, professional users who had reviewed the contract confidently made larger investments, leading to the project's TVL rising from a few million dollars to $24 million in just a few days. But what everyone did not know was that beneath the seemingly "problem-free" exterior of this project, a conspiracy was brewing.

The Greatest Danger Lies in the Most Concealed Corners

Although the project's code logic had no vulnerabilities, the issue did not arise from the smart contract itself but from the underlying function library called SwapUtils Library that the smart contract called. The project team implanted a backdoor in the SwapUtils Library, so regardless of whether the project's smart contract code was secure or had a time lock, the project team could directly exploit the backdoor in the underlying functions to transfer assets. Since the DeFi projects Dopple and StableGaj were also developed based on the same protocol, their underlying function library SwapUtils Library was similarly unverified, and the StableMagnet incident also exposed the security risks of these two projects.

Comic by RugDoc regarding the StableMagnet incident

Past hacking incidents mostly exploited vulnerabilities in the project's own smart contract logic, which led to a tendency to overlook the verification of underlying function libraries. Unverified underlying function libraries can be tampered with. The project team took advantage of this.

At midnight on June 23rd, Beijing time, the incident officially began.

While most investors in the East Eight Zone were still asleep, the project team transferred assets worth $24 million through pre-reserved vulnerabilities, and the project website, Twitter, and Telegram group were all shut down or disbanded. The project team even directly transferred some of the stolen BUSD and USDT to Binance and exchanged them for DAI before withdrawing.

More than 10 minutes after the project team's actions, community members such as Ogle had already noticed the anomaly and began tracking the attack address. They reported it as soon as the stolen assets were transferred to Binance, but Binance did not take immediate action. Ultimately, the project team successfully withdrew DAI from the exchange.

It is worth mentioning that some well-known community members and DeFi security media had received anonymous information before the attack, stating that the SMAG (StableMagnet) project might run away. However, due to the inability to confirm the identity and authenticity of the warning, and because the core smart contract of the project itself had no issues, those who received the warning did not disclose this information in the community immediately out of caution.

Community Counterattack

Typically, after a project is attacked, the project team will work with investors to find the hacker or compensate for the losses. However, the problem with StableMagnet is that the project team was stealing from itself. To save themselves, community members decided to do everything possible to search for and locate the project team. Thus, a massive operation to combat crime began.

Locating the Project Team

To recover the assets, the first step is to find the people. According to community members, the core work of searching for the project team's whereabouts through technical means was mainly carried out by a DeFi KOL named Ogle and his team, who was also one of the victims of this incident.

During the communication process, Ogle shared a special method they used to obtain clues—coding habits. Community members stated that every coder inevitably has personal habits, and these habits are reflected very clearly in their coding style, akin to a person's "handwriting." Ogle found related projects on GitHub through certain characteristics in the StableMagnet code and ultimately determined that the project team was a group based in Hong Kong. The investigation team combined other clues and discovered the company registered by project members, successfully locating other related members through publicly available information associated with the company.

Meanwhile, Binance's investigation also pointed to the project team possibly being in Hong Kong. Upon learning this news, victims in Hong Kong quickly reported the case to the Hong Kong police. At the same time, the community investigation organization also managed to obtain contact information for the project team members and attempted to communicate with them. However, the team members ignored all contact attempts and refused to communicate or repay.

At this point, voices in the community began to call for directly exposing the identities of the project team. Besides the core community investigation team holding their personal information, there were also independent anonymous organizations claiming to "have the authority" stating they had obtained their personal information and wanted to publish it directly, but were dissuaded by Ogle.

Subsequently, the core community investigation team publicly called for the project team to contact Ogle countless times, both to expedite the refund process and to prevent their personal information from being exposed by impatient independent anonymous individuals/organizations, leading to uncontrollable consequences. However, the project team members did not accept this "goodwill."

Missing the Best Opportunity, the Project Team Flees

Although the Hong Kong police had filed a case, perhaps due to procedural issues, they did not accept the various pieces of evidence provided by the community. Since the project team left traces on Binance, the Hong Kong side hoped Binance would provide relevant evidence. However, for various reasons, communication between the Hong Kong police and Binance stalled. Community members had no law enforcement authority; even though they had identified the project team, they could not control them, so they could only wait for the police to advance the investigation. The case was at a standstill.

However, perhaps sensing the pressure and realizing that the community had roughly located their identities and whereabouts, the team members hastily fled to the UK during this stagnant phase of the case. But what awaited these team suspects was not a script of the case calming down due to the passage of time, but a new "encirclement."

Capture and Arrest

While everyone was anxious about the progress in Hong Kong, the community investigation team discovered the latest whereabouts of the project team members who had fled to the UK. This became a turning point in the incident. Following reports from community members, the UK police quickly filed a case and assigned a major crime unit to follow up. Based on the information submitted by the community, the UK police launched an investigation into the project team members who had fled to the UK. At this point, the new question for the community investigation team and the UK police was where the project team members were hiding in the UK.

According to the UK's epidemic prevention policy, all travelers to the UK are required to self-isolate and declare for 10 days. If the fleeing project team members self-isolated as required, theoretically, enough clues could be gathered to trace their exact address. The bad news was that by the time the investigation members intercepted this clue with the UK police, the team members' isolation period was likely about to end.

Ogle and the community investigation team speculated and analyzed the possible addresses where the team members might be staying and conducted a thorough search. Ultimately, the UK police, having obtained intelligence, successfully captured the project team members. The captured project team members were found to be carrying a large number of suspicious crypto electronic devices, which stored the assets stolen from investors. With the efforts of the UK police, the captured project team members ultimately chose to cooperate with the investigation and agreed to return the stolen funds.

Thus, this over a month-long DeFi fraud case, involving multiple countries or regions and with a total amount of up to $24 million, finally made significant progress.

Provocation and Counterattack

But the matter was not completely over. The returned assets from the arrested members totaled about $22.5 million, but they claimed that some assets were missing. Additionally, some members are still unaccounted for. More intriguingly, just as the arrested members were about to refund, some assets worth hundreds of thousands of dollars were transferred. The assets ultimately received by the police matched the amount of assets that went missing. The community suspected that this was the work of the fleeing project team members, and if this were true, it would be a provocation against both the community and the police.

In response to the provocation, the impatient independent anonymous organization finally could not hold back and chose to directly expose their identities, claiming that if the fleeing project team members continued to refuse communication, they would publish more personal information about them. Meanwhile, the core investigation team led by Ogle has been working hard to contact the project team to recover all assets and reassure the community.

Photos of the suspects

Returning Stolen Funds

Refunding is the most concerning issue for all victims. The UK police successfully recovered 91% of the stolen assets, and all assets will be returned to global victims. It is worth mentioning that since users in some regions find it inconvenient to receive fiat refunds, the UK police, with the efforts and suggestions of community members, adopted on-chain refunds instead of fiat refunds.

News released by the UK police

Victims need to verify wallet ownership through small transfers and submit some local case filing information as well as KYC/AML information. After verification, they can proceed with the refund. Although this solution still poses some execution difficulties for domestic victims, it has provided the greatest convenience possible for affected investors. As for the remaining 10% of funds that have not yet been recovered, the community is still working hard with UK and international police to trace them, striving for the return of all assets to the victims and fully tracking down the fleeing project team members.

Email from the UK police to community members

As of now, the UK police have also noticed that victims in China have great difficulty even filing a report, and they are considering further optimizing the refund process for victims in China.

Follow-up

After interviewing community members and understanding the entire case, it can be seen that the reason the StableMagnet case was successfully resolved was thanks to the efforts of community members and the close cooperation with the police. This may also serve as a good starting point and provide a typical case reference for similar incidents in the future.

At the end of the interview, when asked how to avoid such incidents in the future, Ogle stated that in the CeDeFi field, there may be a possibility of adding KYC requirements to contract deployments in the future, governed by a DAO or an organization. Of course, many people might think this is not decentralized enough, and many crypto enthusiasts may not be interested in this, but this approach might be welcomed by traditional financial participants and attract them to enter the space. This is not about right or wrong; it's just about how to make choices. If in a completely decentralized world, to avoid encountering such incidents, it is recommended that participants do not blindly rush into early mining but wait for 3-6 weeks before participating. Although they may miss out on the initial excessive yields, they can also avoid certain risks.

Additionally, it is advised that investors choose projects with stronger security, such as teams with real identities, projects that are verifiable in code, those issued on Launchpads (such as SAFERmoon), and projects audited by reliable security companies.

Finally, Ogle stated that all wrongdoing has consequences, and he will make wrongdoers pay the price. This is also the original intention of the community investigation team to thoroughly investigate this incident, treating it as a demonstration to warn all those who attempt to exploit the anonymity of blockchain for wrongdoing: "Even if you hide behind a computer screen, you will bear the consequences of your actions in the real world."