Just over a year ago, Bitmart’s hot wallets on Ethereum and BNB Smart Chain (BSC) were compromised leading to $195 million in assets. The majority of the value stolen came from ERC-20 and BEP-20 tokens which were then converted into ETH and BNB before being deposited into Tornado Cash. This attack shows just how devastating hot wallet compromises can be and ranked in the top 10 of all incidents in 2021 for funds lost.
On 5 December, 2021, Bitmart announced on Twitter that a large scale security breach had occurred which forced the exchange to pause withdrawals to prevent further losses. In their official announcement, Bitmart attributed the security incident to stolen private keys on two of their hot wallets and cited that up to $150 million in assets had been transferred to the hackers wallet. This figure was later assessed to be $195m.
The attack began on 4 December at 21:31:09 UTC+ with the transfer of various ERC-20 tokens such as Shiba Inu, Dogelon, and Gala from the Bitmart Ethereum wallet. In addition, roughly 148.8 ETH was also transferred to the hacker's wallet. A similar pattern occurred on the BSC wallet which saw assets being transferred to the hacker's wallet at 22:00:35 UTC+.
There were two curious transactions that took place approximately 13 minutes before the BEP-20 tokens were transferred in bulk to to hacker's address on the BSC side. On 4 December at 21:47:14 UTC+, Bitmart's compromised wallet sent ~113.57 BNB to the hacker, which was then sent back to Bitmart roughly 11 minutes later. At 22:20:38 UTC+ and 22:27:38 UTC+, a total of 100 BNB is transferred back to the hacker. It is highly likely that Bitmart’s wallet was already compromised at the time the ~113.57 BNB was transferred to the hacker's wallet at 21:47:14 UTC+. This is mainly because the attack on the Ethereum hot wallet was well under way. But why would the hacker send back the BNB, just before the exploit took place? When we take a look at the analytics of the Bitmart wallet on BSC, we can see that come late November / early December 2021 the wallet held very low amounts of BNB.
There’s a realistic possibility that at the time of the exploit that Bitmart’s hot wallet had no more than ~113 BNB meaning that the hacker wouldn’t be able to transfer the BEP-20 tokens out of the compromised wallet due to a lack of gas funds. This would explain why the hacker sends back the BNB, then transfers 100 BNB back once the BEP-20 tokens had been stolen.
Once the ERC-20 and BEP-20 tokens had been transferred into the hackers wallet, the funds were then swapped to ETH and BNB respectively. In total, the hacker was able to deposit ETH and BNB into Tornado Cash worth $108,123,675.79.
We can see flow of funds below on the Ethereum mainnet.
Bitmart reassured their customers that the vast majority of funds were safe and that those customers who had lost assets would be reimbursed. However, media reports up until January 2022 claimed that customers were still waiting to be made whole after the exploit. Due to the incident, Bitmart replaced its depositing wallets on multiple chains to ensure tighter security, though it also implies that wallets on multiple chains could possibly have been at risk.
Hot wallet compromises can lead to devastating consequences for companies such as exchanges. In 2022, we have already seen that over $302 million have been lost due to private key compromises. If it is confirmed that the FTX wallets were compromised due to stolen private keys that will put that number up to ~$779 million.
CertiK can help projects and investors understand the risks of hot wallet compromises by understanding the centralization risks in a projects protocol. You can view all of CertiK’s audits by visiting certik.com and searching for the project that you’re interested in. In addition, make sure to follow @CertiKAlert on Twitter to ensure that you are kept up to date with all the relevant Web3 security incidents.