CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
Pragma Incident Analysis
6/21/2022
Pragma Incident Analysis

In this post we look back on the Pragma Money incident which occurred on 05 May 2022. In total, ~$1.5m was removed from the Pragma Treasury and the Risk Free Value wallet by core members of the team before sending it to a Binance hot wallet on FTM.

What is Pragma Money

Pragma is a rebase token on the FTM chain that offered extremely high APY (up to 227,140%) for investors that staked $PRAGMA on the protocol. Pragma Money said that this was achievable through Pragma’s Auto Staking Protocol (PAP), which was marketed as the highest and fastest paying yield on FTM.

Furthermore, the project looked to attract investors by offering a monthly dividend of 10% which would be based on the growth of funds in the treasury. This treasury was managed by a team of “highly skilled” quantitative traders who would “guarantee” growth. In addition, 5% of trading fees would be redirected to the RVF wallet in order to “sustain and back the staking rewards”.

How did the attack happen?

On 05 May 22, it was alleged that one of the core members of the team drained the funds of the Treasury and RFV wallets, amounting to ~$1.5m in stolen assets. The two wallets were multi-sig meaning that they needed 3 out of 5 private keys to be accessed.

The two Multi-sig wallet addresses are:

0x131b7…- Treasury Wallet

0xd9Db…- RFV Walletlet

Looking on-chain we can see how the exploit took place: Funds from the Treasury and RFV wallet were transferred into EOA: ftm 0xDA58c0… which has been labeled as “Pragma Exploiter”.

QqZMkqvvCDdlQYFzn lH0cd7769tc Hw4SDSkhGNnRKH-CPS 3NXtpScOTnr1tM4OhbzaX3it9l0zlHxd5uZYyBrUOvowalTYajlHi27tBczZzVMRovqFu01DU26iJYfOj6nfxoQkoM2Qbx-FA

fVAaIG2fQtFHC W7CJ-RAArPOgvIJfWZ7MkOkJnwg4h3H0L e8Yqu2fTlAa6yC8OjI q6CjkqAsWBqegeLL3l3w2dHS1woh4icb4 qn7i7g17rnqNMpe5Y-kftKy-JHyOXgHMlyA1pwgv-O3qQ

The stolen funds were then transferred to EOA: ftm 0x6F39f… (labeled “Pragma Exploiter 2).

Ih6u99V1a fzZ3CVFFvWeK9lOTbqO6v0Vl1dSZBM57A8A1CDQv3vTC6AYbs52bLeQVTH3oj2pkflC6O3WJgEEontBznzIndmYYOesEgLaPmLVB7k5XrT3ETXpzRo-wKmFqPEa5kyXPQkFp3O8w

Finally the funds were transferred in multiple transactions to another wallet, EOA: ftm 0xEBf4F… which is a Binance hot wallet for FTM.

So, who was behind this exploit? Since the Treasury and RFV wallets were multi-sig, only trusted members of the team would have access to the stored assets. When we look back at the beginning, Pragma Money had a core team of 6 members:

  1. Adam
  2. Delita
  3. Sam
  4. Moggy
  5. Flynn
  6. Blender

On 10 May 22, Delita, who continued to update the community after the attack, accused Flynn and another member named Hemrik of hacking into another team member's wallet. They then used this member's private key, as well as their own to sign into the multi-sig wallets.

Flynn was the individual who was responsible for the Treasury wallet and managed it. Furthermore, they deleted all their messages from the Telegram group before removing themselves.

Updates

Pragma Money has used the Obsidian Council to verify its migration from V1 to V2 before the attack took place. Since 05 May 22, Pragma has reached out to the same organization to track down the stolen funds in an attempt to reimburse victims. The Obsidian Council announced on their Telegram on 19 May 22 that they have managed to get the Binance Security team to work with them, and the IP address of the exploiter has been found. However, specific details have not been revealed.

The announcement also claimed that the attacker has moved the stolen funds into Monero (XMR), one of the largest privacy coins. This essentially makes it impossible to take the stolen funds any further. However, the Obsidian Council claims that they may have the identity of one of the accomplices, and have said they’ll work with law enforcement to help prosecute the perpetrators. 

You can keep up with the Pragma investigation on the Obsidian Councils Discord server.

Security

This is an example of how easily centralization can be exploited by malicious actors, even by members of a team that you trust. A CertiK audit is a great resource to help you DYOR where you can be informed of the risks of a project before investing. In addition, a CertiK KYC goes in-depth on the project and the individuals involved. This includes any past projects that the team have been involved in, as well as criminal background checks. If you see a project with a KYC badge that means our highly skilled KYC analysts are confident in the legitimacy of the company. Check out CertiK leaderboard for the KYC badge to aid you in doing your own research.