CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Reports
Incident Analysis
Chibi Finance Incident Analysis
6/27/2023
Chibi Finance Incident Analysis

Introduction

On 27 June 2023, Chibi Finance team orchestrated an exit scam that led to the loss of over $1 million of investor funds. The project leveraged centralization risks to remove users funds from Chibi owned contracts. The funds were then swapped for ETH and bridged to the Ethereum network before being deposited into Tornado Cash. This incident represents the 12th major incident that CertiK have uncovered on the Arbitrum network in 2023 which has seen over $14 million lost due to hacks, scams and exploits.

Event Summary

The Chibi Finance exit scam occurred on 27 June, though was likely pre-planned. On 15 June, externally owned address 0xa3F1 withdrew 10 ETH from Tornado Cash. Two ETH was bridged to the Ethereum network, then 4 days later on 19 June, another 7.8 ETH was bridged. The majority of that ETH was sent to EOA 0x1f19 but on 23 June, 0.2 ETH was sent to EOA 0x80c1 in order to cover gas fees of adding Chibi’s pools, which would later be emptied, and the creation of contract 0xb612.

image-20230627-131842 Chibi continued to push the hype for their project and on 26 June, announced in their Telegram that they had been listed on Coin Gecko. image-20230627-132018 Image: Chibi Finance Discord Announcement: Source Twitter However, on 27 June, a setGov() function was called within each of Chibi’s pools and the gov address was set to contract 0xb612. In Chibi’s contract, the gov address is the equivalent of the owner address. Chibi’s functions were protected by a onlyGov role, denoting which wallets were permitted to execute them. image-20230627-135709 Image: setGov() transactions. Source: Arbiscan With control over the pools 0x80c1 removed liquidity totalling 539 ETH. They also received a further 17.9 ETH from 0x1f19 for a combined total of 556 ETH. image-20230627-141619 (1) Image: Swapping stolen Funds for WETH. Source: Arbiscan These funds were then bridged to Ethereum in two transactions, 400 ETH via Multichain and 156 ETH via Stargate Bridge. A total 555 ETH was deposited into Tornado Cash then 2 times 0.5 ETH transactions were made to two different EOAs. One to a new wallet, 0x9297, which still holds the ETH as of writing. The other 0.5 ETH was sent to junion.eth who had previously sent an on-chain message to the Euler exploiter, thanking them for their service. image-20230627-143351 Image: On-chain message. Source: Etherscan

Attack Flow

The exit scam was possible due to the centralization privileges that the _gov() role has in the Chibi Finance contract. The attack began on the June 23rd when the EOA 0x80c1 received 0.2 ETH from EOA 0xa3F1 and created a malicious contract Screenshot 2023-06-27 at 19.38.52 Image: Malicious Contract Creation. Source: Arbiscan

The next stage was to call addPool() on multiple contracts owned by Chibi Finance

Screenshot 2023-06-27 at 19.41.58 Image: addPool() Called. Source: Arbiscan

On 27th June, the deployer of the Chibi Finance contracts calls setGov() on multiple Chibi contracts which assigned the malicious contract created by EOA 0x80c1 to the _Gov role. This role is in a privileged rights in the Chibi Finance contract and allows the exploiter to call panic() which removes users funds from the contracts.

Screenshot 2023-06-27 at 19.54.53 Image: setGov() transactions with Example txn. Source: Arbiscan

EOA 0x80c1 calls execute() within the malicious contract which begins the draining of funds. The malicious contract goes through each Chibi Finance contract to which was added in the addPool() transactions called on 23rd June and calls panic(). This function pauses the contract and withdraws funds within.

Screenshot 2023-06-27 at 20.07.23

The stolen funds were then transferred to EOA 0x80c1. Screenshot 2023-06-27 at 20.17.25 Image: Stolen funds. Source: Arbiscan

The funds were then swapped for WETH, bridged to the Ethereum network and deposited into Tornado Cash.

Conclusion

To date, CertiK has recorded 12 incidents on Arbitrum in 2023, including the Chibi Finance exit scam, which accounts for a total of $14 million. The Chibi Finance incident demonstrates the risks that are associated with centralization in the Web3 space. The deployers behind the project abused privileged positions to steal users funds and then deleted all social media accounts including the project’s website. It is an unrealistic expectation for regular investors to spot and understand the centralization risks within projects like Chibi Finance by simply doing their own research. This is where the value of experienced auditors from CertiK is shown. CertiK clearly outlines centralization risks within audits to help investors understand the risks associated with a project. Be sure to visit CertiK Skynet - Web3 Security, Due Diligence and Insights and read more about centralization risks in our blog.

Related Stories
Prisma Finance Incident Analysis
Blogs
Incident Analysis
On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.
3/29/2024
Risk On Blast Incident Analysis
Blogs
Incident Analysis
On 24 February, GambleFi project RiskOnBlast is thought to have become the first confirmed exit scam to occur on the Blast ecosystem, a layer-2 project on Ethereum.
3/29/2024
OrdiZK Incident Analysis
Blogs
Incident Analysis
On the 5th March, CertiK confirmed OrdiZK orchestrated an exit scam that over a period of time stole approximately $1.4 million. In this incident the scammers used a verity of tactics to steal from investors including hoarding taxes from sales, dumping a large amount of tokens and abusing privileged roles to empty project contracts. This incident is the 6th exit scam of 2024 where losses have exceeded $1 million, contributing to the over $64 million lost to exit scams in 2024 so far.
3/8/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;