On 27 June 2023, Chibi Finance team orchestrated an exit scam that led to the loss of over $1 million of investor funds. The project leveraged centralization risks to remove users funds from Chibi owned contracts. The funds were then swapped for ETH and bridged to the Ethereum network before being deposited into Tornado Cash. This incident represents the 12th major incident that CertiK have uncovered on the Arbitrum network in 2023 which has seen over $14 million lost due to hacks, scams and exploits.
The Chibi Finance exit scam occurred on 27 June, though was likely pre-planned. On 15 June, externally owned address 0xa3F1 withdrew 10 ETH from Tornado Cash. Two ETH was bridged to the Ethereum network, then 4 days later on 19 June, another 7.8 ETH was bridged. The majority of that ETH was sent to EOA 0x1f19 but on 23 June, 0.2 ETH was sent to EOA 0x80c1 in order to cover gas fees of adding Chibi’s pools, which would later be emptied, and the creation of contract 0xb612.
Chibi continued to push the hype for their project and on 26 June, announced in their Telegram that they had been listed on Coin Gecko.
Image: Chibi Finance Discord Announcement: Source Twitter
However, on 27 June, a setGov() function was called within each of Chibi’s pools and the gov address was set to contract 0xb612. In Chibi’s contract, the gov address is the equivalent of the owner address. Chibi’s functions were protected by a onlyGov
role, denoting which wallets were permitted to execute them.
Image: setGov() transactions. Source: Arbiscan
With control over the pools 0x80c1 removed liquidity totalling 539 ETH. They also received a further 17.9 ETH from 0x1f19 for a combined total of 556 ETH.
Image: Swapping stolen Funds for WETH. Source: Arbiscan
These funds were then bridged to Ethereum in two transactions, 400 ETH via Multichain and 156 ETH via Stargate Bridge. A total 555 ETH was deposited into Tornado Cash then 2 times 0.5 ETH transactions were made to two different EOAs. One to a new wallet, 0x9297, which still holds the ETH as of writing. The other 0.5 ETH was sent to junion.eth who had previously sent an on-chain message to the Euler exploiter, thanking them for their service.
Image: On-chain message. Source: Etherscan
The exit scam was possible due to the centralization privileges that the _gov() role has in the Chibi Finance contract. The attack began on the June 23rd when the EOA 0x80c1 received 0.2 ETH from EOA 0xa3F1 and created a malicious contract Image: Malicious Contract Creation. Source: Arbiscan
The next stage was to call addPool() on multiple contracts owned by Chibi Finance
Image: addPool() Called. Source: Arbiscan
On 27th June, the deployer of the Chibi Finance contracts calls setGov() on multiple Chibi contracts which assigned the malicious contract created by EOA 0x80c1 to the _Gov role. This role is in a privileged rights in the Chibi Finance contract and allows the exploiter to call panic() which removes users funds from the contracts.
Image: setGov() transactions with Example txn. Source: Arbiscan
EOA 0x80c1 calls execute() within the malicious contract which begins the draining of funds. The malicious contract goes through each Chibi Finance contract to which was added in the addPool() transactions called on 23rd June and calls panic(). This function pauses the contract and withdraws funds within.
The stolen funds were then transferred to EOA 0x80c1. Image: Stolen funds. Source: Arbiscan
The funds were then swapped for WETH, bridged to the Ethereum network and deposited into Tornado Cash.
To date, CertiK has recorded 12 incidents on Arbitrum in 2023, including the Chibi Finance exit scam, which accounts for a total of $14 million. The Chibi Finance incident demonstrates the risks that are associated with centralization in the Web3 space. The deployers behind the project abused privileged positions to steal users funds and then deleted all social media accounts including the project’s website. It is an unrealistic expectation for regular investors to spot and understand the centralization risks within projects like Chibi Finance by simply doing their own research. This is where the value of experienced auditors from CertiK is shown. CertiK clearly outlines centralization risks within audits to help investors understand the risks associated with a project. Be sure to visit CertiK Skynet - Web3 Security, Due Diligence and Insights and read more about centralization risks in our blog.