Pando Rings Hack—Nov 5, 2022—Detailed Analysis

Overview

On November 5, 2022, the Pando Rings project suffered a significant security breach where an attacker exploited a vulnerability in its price oracle, stealing ~$20M.

This exploit allowed for the manipulation of sBTC-WBTC liquidity provider tokens, leading to an attempted theft of approximately $70 million. The specifics of the theft amount to $21,877,098.03 in crypto assets, including notable cryptocurrencies like ETH, EOS, and BTC.

Roughly $50 million of the stolen assets remain frozen in the attacker’s wallets, with a successful recovery of $2,362,761.24 in EOS.

About Pando Rings

Pando Rings is a DeFi (decentralized finance) project that provides a range of services, primarily focused on trading and liquidity provision. It uses algorithms to determine interest rates for its lending and borrowing services automatically.

Root Cause of the Exploit

The primary reason for the hack was a vulnerability in Pando Rings’ price oracle. This vulnerability was exploited by the attacker to manipulate the price of the sBTC-WBTC liquidity provider token of the trading pair BTC-WBTC on 4swap.

An oracle in blockchain refers to a third-party information source that provides data to blockchains, which can trigger smart contract executions.

A price oracle specifically gives real-world price information, allowing DeFi platforms to function based on current market prices. Vulnerabilities in oracles can lead to significant manipulations, as seen in this hack.

Imagine the price oracle as a trusted referee in a game. If you can deceive the referee (in this case, the oracle) into thinking that the price of a particular token is much higher or much lower than it actually is on the market, then you can buy or sell those tokens at a manipulated price on platforms relying on this referee’s judgment.

By manipulating the price, the attacker created an opportunity where the value of certain assets (in this case, sBTC-WBTC tokens) on 4swap was misrepresented. This misrepresentation allowed the attacker to trade these tokens at a manipulated price, thereby attempting to steal crypto assets worth approximately $70 million.

Detailed Analysis

The attacker exploited the price oracle vulnerability and manipulated the price of sBTC-WBTC tokens on 4swap. This allowed them to attempt a theft of approximately $70 million in crypto assets.

Hackers Addresses:

BTC	ETH	EOS
bc1qjnsx0sdxksh4w2azwu5ngr8sax46vcu52ljfcx	0xd3f04cE2d37b182432e2f804F9913a02071CEa54 0x94eaa57d0fee071d0155551ce9df2001a7070f4f 0xae15c1f351d3a221858deb5751a7f683a80b2132	entofkdupows

The attackers were funded by:
https://etherscan.io/address/0x204d4b8cfbc37382689fc235bba5a349accdb95e#tokentxns

Addresses related to hacker:
ETH:
0x204d4b8cfbc37382689fc235bba5a349accdb95e
0xe290894ef1127f525f0d7d8e309b03946bd2332c
0x204d4b8cfbc37382689fc235bba5a349accdb95e

Stolen Fund Details

The attacker transferred $21,877,098.03 worth of assets, including ETH, EOS, and BTC, from the two perpetrating Mixin wallets before any countermeasures could be taken.

From these transferred funds, 2,022,662.9979 EOS (valuing approximately $2,362,761.24) were frozen with the community’s help, leaving the hacker with the remaining ~$50 million stolen funds, which were subsequently frozen with the intervention of Mixin Network.

The hacker’s Mixin Wallet IDs:

1. f059c0ee-cde3-3db9-9079-1aff956172c0
2. d3a935af-ccc4-3cca-98a0-b1b7a9cc53ca.

Here are updates about the movement of funds:

• A deposit of 5 BTC was made to a suspected Huobi address (16BaTGMdyaTZRXAwyiLeChj76EgofSLE3T), potentially linked with @HuobiGlobal.
• With the aid of the EOS community and @EOSIO, the hacker’s EOS address has been successfully locked. For a detailed view, one can visit this link.
• Another transaction of note was a 20 BTC deposit to an address (3866rnRzchxsNxJf8RR198NGp7pRPf2x8g) that may be associated with MEXC, as indicated by references to @MEXC_NA, @MEXC_Global, and @mexczh.
• Post the hack, some funds were identified as having been transferred from MEXC to a TRON address linked to @trondao. The transaction details can be tracked at https://tronscan.io/#/address/TY1we1quCYX2sPZkBJ92L4LJE8dti3ZQZH/transfers
• Progress has been reported in recent weeks concerning the recovery and tracing of the stolen funds. Notably, some of the stolen BTC appears to have been converted into renBTC as of November 20th. The associated address for this conversion can be inspected at https://etherscan.io/address/0x7b9142422fc1eca74bd00d691f4f5743e359fec9
• A transaction was also spotted where 4.593 WBTC was exchanged for 78,403 DAI. The transaction can be found at the following https://etherscan.io/tx/0x08520a3b4fbce3c6f1e1cdb981de032562a9830162b47d87f32bb86733d868b1.

Hack Aftermath

After the exploit, Pando Rings, along with its associated services, 4swap, Pando Lake, and Pando Leaf, were immediately and temporarily suspended.

This swift action was taken to ascertain no other vulnerabilities could be exploited further. At that time, the definite schedule for resuming these services remained undecided, as the priority was to address and fix any and all security concerns thoroughly.

However, it was clearly communicated that services would only be restarted once all potential threats had been completely mitigated.

Due to the exploit, the TVL of Pando Rings took a hit of ~44% and got reduced to $49.72 million on Nov 6, 2022 from $88.57 million on Nov 5, 2022.

Furthermore, the Pando team took a proactive approach in the aftermath of the hack:

• Two significant messages were dispatched to the perpetrators from the address 0x3e99920e6c40971655e19ad0598454992210499f to warn them about the legal consequences of the exploit and cajole them to come to the negotiation table to facilitate the return of the stolen assets.

• In an effort to trace the stolen assets and potentially identify the culprits, a collaboration was forged with the security teams. This partnership aimed at meticulously tracking the movement of the stolen funds across the blockchain.

• In conjunction with tracing the digital footprints of the attacker, efforts were put into gathering identity clues from the blockchain. This was a key step in narrowing down potential suspects.

• The Pando team also liaised with law enforcement agencies. The objective was to bridge the virtual world with the physical, attempting to pinpoint the real-world identity of the attacker.

• Internally, the team was in full gear, focusing their efforts on rectifying the vulnerability in the Pando Rings price oracle to ensure such a security lapse wouldn’t occur again in the future.

Mitigation Steps to Avoid Such Hacks

A key takeaway from this hack is the critical importance of securing price oracles to prevent price manipulation. Proper auditing, regular vulnerability assessments, and employing multiple oracles or oracle solutions can act as potential measures to prevent such incidents in the future.

Conclusion

The Pando Rings hack of 2022 is a somber reminder of the vulnerabilities present in the DeFi space, even in established projects. 

By exploiting a price oracle vulnerability, an attacker could siphon off a significant amount of assets. While efforts led to the freezing of a large part of these funds, the episode underscores the need for rigorous security practices in the DeFi sector. 

Employing security experts, like ImmuneBytes, for periodic audits can be a proactive measure against such security breaches.