On 7 February, 2023 CertiK detected a slippage on the LianGo Protocol’s token (LGT) that dropped 97%. Upon investigation, CertiK discovered that the LGT tokens originated from the LGT Pool contract. Changes were made to the liquidity pool (LP) token address in the LGT Pool contract leading to the conclusion that this incident was likely caused by a private key compromise.
At 03:32:45 PM +UTC on 07 February 2023, the LP token contract was changed from 0x611f7… to 0x621fe… by the owner of the LGT contract. 0x621fe… is a malicious contract that was deployed on 07 Jan 2023 by contract 0xf877C…, which was in turn deployed by the exploiter (0x36d17...)
On 7 February, 2023 at 03:32:27 PM +UTC externally owned account (EOA) 0x36d17… initiated a transaction which drained the LGT pool contract. In total, 6,148,859.35 LGT was transferred out of the LGT pool and into 0x36d17. From there, the LGT was swapped for $1,628,168.69 and was transferred to 0xcb65d. The attack was made possible due to a change in the LGT Pool’s LP token address, which was set to 0x621fe… and was controlled by the exploiter. Image: LGT Exploit Transaction. Source: BscScan
Since the incident, multiple EOAs have tried to withdraw tokens from the LGT pool contract, but have been reverted due to a complete drainage of funds. Image: Failed withdraw transactions on LGT contract. Source: BscScan.
This incident was likely the fifth private key compromise we have seen in 2023 bringing the total lost to such compromises at $9.2 million so far. However, the incident on LianGo appears to be the first incident where a compromised wallet has led to losses for a protocol that exceed $1 million, whereas the other private key incidents appear to be individual investors losing control of their wallet and as a consequence, their funds. In 2022, private key compromises resulted in the loss of over $1.5 billion, and the incident on LianGo demonstrates how devastating these events can be for protocols. Unfortunately, we’re highly likely to see future incidents where millions of dollars are lost to private key compromises.
This incident can be broken down into a preparation stage and an attack stage.
At the time of writing, $1,628,168.69 million has been taken so far and remain in wallet 0xCb65d… which was funded by Tornado Cash on 11 Dec 2022 at 09:00:26 PM + UTC. Image: Tornado Cash fund. Source: BscScan.
Evidence points to this exploit being fundamentally caused by a private key compromise on the LGT Pool owner address. This incident points to the broad issue of centralization within smart contracts because the likely compromise of this EOA led to the loss of approximately $1.6 million from the LGT Pool contract. An audit from CertiK can point out centralization issues which we consider to be a major security risk. You can view the protocols that CertiK has audited and check to see if the project you are researching has any centralization risks, and what they’ve done to mitigate such findings by visiting CertiK.com.