On Sep 24, Upbit, recognized as the largest cryptocurrency exchange in South Korea was exploited due to a technical glitch in the Upbit’s system. The incident in question pertains to the deposits and withdrawals of the Aptos tokens ($APT) on the platform.
When users deposited certain tokens into their Upbit accounts, the exchange’s system had a glitch. Instead of correctly identifying each token, the system mistakenly identified multiple different tokens as the native Aptos ($APT) token.
The Central Issue:
The crux of the problem was a flaw in the token recognition process during deposit reflections:
- Expected Behavior: When processing token deposits, Upbit’s system should execute the function
0x1::aptos_account::transfer_coinsand validate the type arguments. This would involve a condition check, specifically ensuring that
type_arguments == 0x1::aptos_coin::aptosCoin.
- Flawed Behavior: Instead, all tokens using the function
0x1::aptos_account::transfer_coinswere mistakenly identified as genuine APT tokens. Consequently, any token from the APT ecosystem transferred to Upbit’s wallet was erroneously treated as the native APT coin.
The above misidentification led to several complications:
- Operational Halt: Upbit unexpectedly suspended all Aptos token activities, referencing a “wallet system maintenance” without further clarification.
- Uninitiated Deposits: Numerous users reported receiving $APT tokens in their accounts, despite not transferring them.
- Refund Requests: Upbit’s customer service reportedly reached out to users who had offloaded the mistakenly deposited fake APT tokens, asking them to return the proceeds.
- Real Culprit: Investigations revealed that the deposited tokens were not genuine Aptos Network coins. They were counterfeit tokens named “ClaimAPTGift.” The scam token’s blockchain address was identified (https://apscan.io/account/0xc4f4e73e689b13799d6a1a52a9db1e0099de2e16967ca9bff97e9946dbedc4e9), further corroborating this finding.
The Silver Lining:
A significant crisis was avoided due to a serendipitous difference in decimal precision:
- The scam token, “ClaimAPTGift,” used a 6 decimal system.
- The authentic APT token operated on an 8 decimal structure.
If the scam token had also utilized the 8 decimal system, the fallout would have been catastrophic. Users would have received $25,000 instead of the accurate $250. This would have led to users massively selling off APT tokens, causing substantial market turmoil.
Other Upbit Exploits in the Past
This is not the first security incident involving Upbit. Even in the past, it has suffered massive losses due to a breach.
In Nov 2019, Upbit lost ~$48.5M (at the time of the hack) from its hot wallet in a cyberattack. The lost crypto assets comprised of 342,000 in Ethereum (ETH).
The theft allegedly occurred while moving assets between hot and cold storage facilities. This led to the speculation of this incident being an inside job rather than an external breach.
Conclusion & Recommendations:
The Upbit incident underscores the need for rigorous verification and security protocols for cryptocurrency exchanges, particularly major ones like Upbit. Platforms must ensure:
- Stringent Verification: Deposit and withdrawal systems should be robust and capable of differentiating between genuine and scam tokens.
- Prompt Communication: In case of discrepancies, clear communication with users can mitigate panic and misinformation.
- Regular Audits: Periodic system checks can preempt potential flaws and vulnerabilities.