CertiK - Boy X Highspeed Incident Analysis

Back to all stories

Reports

Incident Analysis

Boy X Highspeed Incident Analysis

9/23/2022

Boy X Highspeed (BXH) – a financial services platform for Web3 and metaverse related assets – has suffered a loss of at least $2.4 million across its operations on BSC, Avalanche, and HECO Chain. Complaints have arisen on social media channels claiming that the team behind the project has exit scammed.

BSC Daily News tweeted out an alert stating that BXH has rugpulled for $12.5 million. This number cannot be independently verified at this time.

However, CertiK has analyzed on-chain data and can confirm that the externally-owned account (EOA) 0xafc6e88c90334618e73eadc04b0f9dc0482f7be3 repeatedly invoked the privileged function InCaseTokensGetStuck() on the project’s staking pool contracts on BSC, Avalanche, and HECO Chain.

BXH Code Snippet

At present, it appears as though the funds have been aggregated on the Ethereum mainnet, for a total of $2,433,665.79 or ~1,865 ETH. The attacker bridged a total of 1,228.73 ETH from BSC to Ethereum, 267.34 ETH from Avalanche to Ethereum, and 105.49 ETH from HECO Chain to Ethereum. This address has since sent the funds to Tornado Cash to be laundered.

The affected contracts were deployed in May 2022. This exploit began on September 20 and the stolen funds began to be sent to Tornado Cash on September 23.

The BXH team released a statement saying that they were “deeply sorry for the recent security incident.” The statement outlined a path forward for the project, without detailing how affected users would be reimbursed for their losses.

A Telegram channel has been set up to provide affected users with a place to discuss the ongoing event. An unverified document has been posted in the channel which appears to be a press release in Chinese stating that BXH fell victim to a phishing scam, there is no fault on the part of the team, and they are cooperating with police.

BXH was not audited by CertiK. The “emergency function” InCaseTokensGetStuck() would have been flagged as a severe centralization risk in an audit. Functions such as this are a risk on multiple levels. They give privileged accounts the ability to drain affected contracts of all funds, which opens the door to malicious insiders taking advantage of this power, while also providing a prime target for phishers.

Related Stories

Blogs

Incident Analysis

Risk On Blast Incident Analysis

On 24 February, GambleFi project RiskOnBlast is thought to have become the first confirmed exit scam to occur on the Blast ecosystem, a layer-2 project on Ethereum.

3/29/2024

Blogs

Incident Analysis

Prisma Finance Incident Analysis

On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.

3/29/2024

Blogs

Incident Analysis

OrdiZK Incident Analysis

On the 5th March, CertiK confirmed OrdiZK orchestrated an exit scam that over a period of time stole approximately $1.4 million. In this incident the scammers used a verity of tactics to steal from investors including hoarding taxes from sales, dumping a large amount of tokens and abusing privileged roles to empty project contracts. This incident is the 6th exit scam of 2024 where losses have exceeded $1 million, contributing to the over $64 million lost to exit scams in 2024 so far.

3/8/2024