Postmortem: $KIDEN Team Vesting Smart Contract Vulnerability Breach

Elixir Games Intern -

Details

  • Token Address: 0xCc5c80B4ecEF7E6561Bb4721d8AC3E80B4503a96
  • Chain: Avalanche - C Mainnet
  • Date: Dec-25-2024 10:03:45 PM +UTC
  • Affected Smart Contract Address: 0x44CfaF95F5D8F917Efd3039564272da398F0A0Aa
  • Company: Layer X LLC, a Republic of Georgia registered entity with Company ID 412784900

Summary:A malicious actor exploited a vulnerability in the team vesting contract, gaining control of nearly 38 million $KIDEN tokens. After liquidating the tokens, the attacker repurchased them and held them hostage, making it impossible for the team to restore the token's stability and jeopardizing the funds of all holders.

First Part: Exploit and Liquidation

Phase 1: Smart Contract Exploitation

Dec-25-2024 10:03:45 PM +UTC: The attacker took ownership of the team vesting contract (0x44CfaF95F5D8F917Efd3039564272da398F0A0Aa) and drained the tokens to their wallet.

Two key events were triggered during this phase. Link to contract events.

  1. Ownership Transfer: Exploited the vulnerability to transfer ownership to the attacker’s wallet.
    - Event 1 Hash: 0x410d48b3ee41763429f1e44070117524b56f1aff8277af390df37375ea0b60b7
  2. EmergencyWithdraw: Leveraged this function to drain 38,699,552 $KIDEN tokens to the attacker's wallet.
    - Event 2 Hash: 0x318f2c15b0b270c56b4ec694a73559195eaec5589259eb861f651c90a98346f9

Attacker Wallet: 0x95098d799eA79b346b70CE512547490139fC1Af3

The Vulnerability

After an audit led by the Elixir Games team, the vulnerability exploited in the attack stemmed from a critical oversight in the smart contract's initialization function, developed by a third-party company contracted to handle the smart contracts for the $KIDEN token. Unlike the public vesting contract, which included proper checks, the exploited contract lacked a verification mechanism to ensure that only the owner could execute the initialization function.

This unprotected function allowed the attacker to take ownership of the contract by transferring its control to their wallet. Once ownership was established, the attacker was able to exploit the contract further, draining its funds.

It is important to clarify that three distinct parties are involved in the development and management of the RoboKiden project:

  1. TheBreach Studios: Responsible solely for in-game development.
  2. Elixir Games & Litlab: Acting as an incubator and advisor, providing strategic support and ecosystem integration.
  3. 3rd Party Contractor: Tasked with developing the smart contracts, including the one that was exploited.

While responsibility for this oversight primarily lies with the third-party company, which failed to implement basic ownership verification in what were supposed to be standard contracts, the Elixir team acknowledges its responsibility for not auditing these contracts before deployment. These contracts were presented as industry-standard, with the contractor claiming they had been implemented successfully multiple times before. This assurance contributed to the reliance on the contractor’s expertise, leading to the lack of an independent audit.

This incident underscores the critical need for auditing all external contributions, regardless of assurances, and highlights the importance of adopting a more rigorous and centralized process when engaging third-party developers.

Phase 2: Stolen Tokens Liquidation

  • Wallet A: 0x95098d799eA79b346b70CE512547490139fC1Af3
  • Wallet B: 0x000BBdCb212D7365549F3344e9bac46DA37c9a1d

The attacker utilized a smart contract (0xA9Ac49DE0435dBfE1BA76Cf221f71F8F34427541) to:

  1. Drain the vesting contract.
  2. Swap 38,699,552 $KIDEN for 664.68989194 $WAVAX on the Avalanche DEX, Trader Joe.
  3. Transfer the $WAVAX back to Wallet A.

Transaction Hash: 0x318f2c15b0b270c56b4ec694a73559195eaec5589259eb861f651c90a98346f9. Link.

Phase 3: Fund Distribution

  • Dec-25-2024 10:14:27 PM +UTC: Wallet A transferred the funds to Wallet B. Link.
    • Hash: 0x5dcebc0ee16541c37ac97931f272fb1290933951e0f798918f764dfb8159d57a
  • Dec-25-2024 10:35:34 PM +UTC: Wallet B distributed funds among four wallets, which liquidated the assets on Fixed Float:
    • Wallet B1: 0x2c31057b8b18B10A29Bfe7D2Cab14ae0b1057DEf
    • Wallet B2: 0x217b0BeAd725E683eD6c4786467C12362a6B0A8c
    • Wallet B3: 0xB575F599b2d3772cFf1078910E135dA151ca3703
    • Wallet B4: 0xeF058238f3d21F85dC794bFd7EF2c132Dae786bB

Fixed Float does not require KYC; however, they have already blacklisted the identified addresses and are willing to share their logs (including IP addresses, country, etc.) upon receiving a request from law enforcement.

Wallet A was funded through a KuCoin account, potentially allowing identification via KYC.  (Hash 0x512ed662347cbab9f817a51a0ac0f635a3fad99f12b23ec3936b055c440443e7). Link.

Second Part: Holding Tokens Hostage

Dec-25-2024 10:03:45 PM UTC: The $KIDEN token price crashed to zero. Immediately after, three repurchase transactions occurred:

Buyer 1

  • Wallet: 0xf8c37583E1b65d393BB33b8901a61a78b92648A7
  • Purchase: 36,172,439.54 $KIDEN for 1,000 $USDT. Link.
    • Hash: 0xf38f58b7f18af885b68c8be7349cf0ed5e2cc2132c441642502c73b397270ebe
  • Sent funds to MEXC:  Link.
    • Hash: 0x252f0b7068001ce33bbc8807aeb1390c8c95a610b6019975d65e5a779d9176d0
  • Executed by a wallet funded from Binance on Dec-16-2023: 0x30273fE97daa77d2345645982797C4cF9d1bA111. Link
    • Hash 0x9a6fdca6125fcb256dc06b7a96b28f58090ce7d73b133ff3cddb22c8abd99499 

Buyer 2

  • Wallet: 0xc4b0659F211D68536C07a85e5fE425c491557D42
  • Purchase: 1,214,265.77 $KIDEN for 1,000 $USDT. Link.
    • Hash: 0xfb950c697554aca5b90c76e74e0ec42ee8661959e856b1dfb561e27275fb3f0b
  • Sent funds to MEXC. Link.
    • Hash: 0x376b7a4eb6e8b432ca7e455ef16448638a9f20cc4256a9f73b89510f4a904d55
  • Executed by a wallet funded from Binance on Dec-16-2023: 0x3b60e3A06Af5aa4DA178aaDe658211a0D3F51222. Link.
    • Hash: 0xb0734523aeeb2acabd8f91bceec0ef196aa2cae3651ebf1c9084411a6725855f

Buyer 3

  • Wallet: 0xce777419413fb8982043203f7Be675D4E59f6eBD
  • Purchase: Initial purchase of 110,498.74 $KIDEN Link And subsequent purchases up to a total of 569,456.47 $KIDEN  Link.
    • Hash: 0x9a1063b678c2d3937b261869ea9ffc6b0d36585a8b8461dcff3ba9f34336d091
  • Sent funds to MEXC. Link
    • Hash: 0x61fee30406c1ec381cb0c01fa27c216b20c4049060f2b3b21b2e581f0977db2c
  • Executed by: 0xC5e42F3421Da0C432d9Bc05436cB18C5E4a0c7C2

Buyer 3 exhibited a unique pattern, repeatedly purchasing and transferring tokens to MEXC. This behavior suggests the possibility of an opportunistic trader rather than direct involvement in the attack. However, the timing of the purchases immediately after the hack and the swift reaction following the price drop still make this account highly suspicious.As a result, just among these 3 buyers 37,956,161.78 $KIDEN were taken hostage in MEXC.

  • Funds on MEXC before the Hack: 497413.44735846616 $KIDEN
  • Fund on MEXC after the hack: 38,418,150.007224158684460946 $KIDEN

Company Response After the Exploit

Once the exploit was identified, the Elixir Team took swift and decisive action to mitigate the impact and protect the community. Below is an outline of the immediate steps taken:

  1. Quick Analysis and Community Warning:
    • The team conducted a rapid assessment of the situation to understand the scope of the exploit and its implications.
    • An announcement was promptly prepared and shared on Discord and Twitter to warn the community about the hack.
    • The company advised holders and investors to cease trading the token, as the team could not guarantee recovery at that point. This measure was aimed at protecting users from further losses.
  2. Liquidity Removal to Halt Trading:
    • To prevent further trading and potential exploitation, the company removed the liquidity from decentralized exchanges (DEXs).
    • The withdrawn liquidity was secured in a designated wallet and is intended to be restored once the situation is under control and a resolution is implemented.
  3. Investigation and Collaboration:
    • The team shifted its focus to thoroughly investigating the attack, analyzing the smart contracts, and identifying the vulnerabilities.
    • Collaboration began with parties involved, including centralized exchanges (CEXs), decentralized platforms, and law enforcement, to track the attacker and recover stolen funds.
  4. Developing a Recovery Plan:
    • Parallel to the investigation, the team began formulating potential recovery plans for the $KIDEN token and the broader ecosystem.
    • All efforts were directed towards finding a solution that protects the interests of holders, investors, and the project as a whole.

Through these measures, the company demonstrated its commitment to transparency, swift action, and the long-term stability of the ecosystem, prioritizing the safety and trust of the community above all.

Summary

First part, attack and liquidation

The smart contract exploit demonstrates a calculated and sophisticated attack, leveraging vulnerabilities in the team vesting contract to drain a massive amount of $KIDEN tokens. By exploiting the contract's ownership transfer mechanism and the EmergencyWithdraw function, the attacker swiftly gained control and extracted the funds.

The attack unfolded in two phases:

  1. Smart Contract Exploitation:
    • The attacker transferred ownership of the vesting contract to their wallet (Wallet A) and triggered the EmergencyWithdraw function to drain 38,699,552 $KIDEN tokens.
    • These actions were executed via Wallet B, which was funded by Wallet A.
  2. Stolen Tokens Liquidation:
    • Using a smart contract, the attacker swapped the stolen $KIDEN tokens for 664.68989194 $WAVAX through the Avalanche DEX, Trader Joe, and transferred the $WAVAX back to Wallet A.
    • Wallet A subsequently transferred the funds to Wallet B, which distributed them across four other wallets for liquidation on Fixed Float, a decentralized exchange.

Key Insights: 

  • Wallet A, which initiated the attack, was originally funded through a CEX account, creating a potential avenue for identification if KYC protocols were followed.
  • The use of multiple wallets and decentralized exchanges underscores the attacker’s efforts to obfuscate their tracks and complicate fund recovery.

    2. Second Part, keeping the tokens hostage

The second phase of the attack demonstrates a calculated effort to destabilize the $KIDEN ecosystem by taking the stolen tokens hostage. After the token price was driven to zero, the attackers swiftly repurchased nearly 38 million $KIDEN tokens across three wallets, all funded through Binance or MEXC. These wallets then transferred the tokens back to MEXC, ensuring the malicious actors maintained control while obfuscating their tracks.

The transactions highlight a clear pattern of malicious intent:

  • Wallet 1 acquired the majority of the tokens (36.17M $KIDEN) for a minimal cost of $1,000 USDT, sending them to MEXC immediately.
  • Wallet 2 followed a similar pattern, purchasing 1.21M $KIDEN and transferring them to MEXC within minutes.
  • Wallet 3 displayed a slightly different behavior, engaging in repeated purchases and transfers to MEXC.

These actions made it nearly impossible for the team to restore token health or regain control of the ecosystem. By holding the majority of $KIDEN tokens hostage and liquidating them strategically, the attackers undermined the token's stability, damaged investor trust, and jeopardized the financial interests of all token holders.

Note:

The team itself suffered the most significant losses as the stolen funds originated from the team’s allocation. Additionally, the liquidation directly impacted the liquidity provided by the company, further jeopardizing its financial stability. This incident represents a direct attack against the project and its ecosystem, with the team being the primary victim.

Measures to Prevent Future Incidents

To avoid similar incidents in the future, the team is implementing a comprehensive set of measures focused on improving resource management, security, contractor oversight, and fostering community trust:

1. Audits for Smart Contracts

  • Thorough Audits: No smart contract will be deployed without being audited by at least two independent, reputable firms.
  • Broader Scope of Audits: Critical systems, including third-party integrations, will undergo regular audits to restore and maintain community trust.

2. Transition to Internal Management

In response to recent events, Elixir Games has initiated a thorough internal investigation to identify responsibilities and ensure the restoration of best practices across all development processes. This investigation focuses on improving oversight, reinforcing adherence to professional standards, and preventing similar issues from occurring in the future.

The Elixir Games team is built on a foundation of professionalism, expertise, and a deep commitment to delivering quality and secure products. It is important to emphasize that the Elixir team was not involved in the development of this particular project or its contracts. Additionally, the $ELIX token and its associated contracts are being developed and managed by a completely separate team, ensuring no overlap or shared responsibilities.From this moment forward, all web3 systems for RoboKiden will be fully absorbed and managed by the Elixir Games internal team. This decision reflects our commitment to ensuring the highest standards of quality, security, and professionalism in every aspect of the project.

All contractors previously involved in the development of these systems have been removed. The Elixir team, with its extensive expertise and deep understanding of the company’s values and practices, will now take full responsibility for the development and oversight of RoboKiden's web3 infrastructure. This transition ensures alignment with Elixir's standards and a stronger, more reliable foundation for the project's future.

3. Bug Bounty Program

  • Engaging Whitehat Hackers: Launch a bug bounty program to incentivize ethical hackers to identify vulnerabilities.
  • Strengthening Security: Leverage contributions from the broader security community to safeguard the ecosystem and prevent exploits.

By implementing these measures, the $KIDEN team aims to address the root causes of the vulnerabilities, reinforce the security and integrity of its systems, and rebuild trust within its community. These actions underscore the company’s commitment to delivering high-quality, secure products while learning from past challenges to grow stronger.