BSC Daily News tweeted out an alert stating that BXH has rugpulled for $12.5 million. This number cannot be independently verified at this time.
However, CertiK has analyzed on-chain data and can confirm that the externally-owned account (EOA) 0xafc6e88c90334618e73eadc04b0f9dc0482f7be3 repeatedly invoked the privileged function InCaseTokensGetStuck() on the project’s staking pool contracts on BSC, Avalanche, and HECO Chain.
At present, it appears as though the funds have been aggregated on the Ethereum mainnet, for a total of $2,433,665.79 or ~1,865 ETH. The attacker bridged a total of 1,228.73 ETH from BSC to Ethereum, 267.34 ETH from Avalanche to Ethereum, and 105.49 ETH from HECO Chain to Ethereum. This address has since sent the funds to Tornado Cash to be laundered.
The affected contracts were deployed in May 2022. This exploit began on September 20 and the stolen funds began to be sent to Tornado Cash on September 23.
The BXH team released a statement saying that they were “deeply sorry for the recent security incident.” The statement outlined a path forward for the project, without detailing how affected users would be reimbursed for their losses.
A Telegram channel has been set up to provide affected users with a place to discuss the ongoing event. An unverified document has been posted in the channel which appears to be a press release in Chinese stating that BXH fell victim to a phishing scam, there is no fault on the part of the team, and they are cooperating with police.
BXH was not audited by CertiK. The “emergency function” InCaseTokensGetStuck() would have been flagged as a severe centralization risk in an audit. Functions such as this are a risk on multiple levels. They give privileged accounts the ability to drain affected contracts of all funds, which opens the door to malicious insiders taking advantage of this power, while also providing a prime target for phishers.
