Recently a theft of 15 Million $NANO (Formerly $XRB) from the Bitgrail Exchange occurred which at the time of this writing amounts to $135,000,000 USD in value and appears to be the result of a malicious hack. Owner of Bitgrail Francesco, @bomberfrancy reported the hack to the NANO Dev team via a private chat application they used for development projects.
How did this hack and massive online heist happen?
Hacker may have exploited a double spend bug to steal Nano
If a malicious user sends money to two wallets and succeeds to block one wallet from knowing that he sent the same money to another wallet of his own, both wallets will accept the payments. This is bad because even a temporary network connection problem could lead a payment node to not detect double spending. While the accounting term "spending" is used what is really happening is two credits are received. For every $100 requested you get $200.
Here's where we first see evidence of duplicate transactions
The hacker's wallet address was given to us by Francesco in his conversation with the Nano developers. From there we're able to find several other wallets that are tied to the hacker. Including one that receives several large sums from the hacker's identified wallet and sends the exact same amount to BitGrail Rep 1 in return. Why are they doing this?
The first priority of a hacker after intrusion is to eliminate detection.
Effectively what the hacker was doing was taking advantage of the duplicate spend exploit.
- Request $100 from the hot wallet
- Receive $200 from the hot wallet
- Return $100 to the cold storage wallet
This kept Francesco from immediately detecting the loss of his funds since they were returned immediately after being stolen. His accounting seemed accurate until it was too late. Allowing the hacker to continue to take out funds undetected while the node was disconnected from the network and return them before it was reconnected.
Think of it like this...
Francesco puts 1,000 NANO in to cover sales for the day. The hacker takes 500, is credited 500 more, and returns 500 to the cold wallet. Now Francesco sees one transaction for $500 from his hot wallet was credited by checking his own internal database that keeps track of valid transactions. He only sees $500 missing from his cold storage wallet because the hacker has returned $500 so he replenishes another $1,000 NANO and the cycle continues.
Eventually the Hacker was moving 1 Million XRB in one transaction.
The hacker may have cut the node from the network to stop the hot wallet from noticing the additional funds were missing while taking advantage of the duplicate spend exploit. This type of attack known as a man in the middle attack may have given the hacker the access they needed to inject data into the database of the exploited node during the attack.
It also facilitates the disconnect necessary to block the node from seeing the double spend.
Initially the double spend exploit was blamed on the exchange
Early reports stated that BitGrail users were able to take advantage of a simple javascript exploit from within the exchanges dashboard to withdraw more than their balances should've allowed them. Yet there is one very strong indicator that this was not the case and that is the fact that the hacker had access to BitGrail Rep 1. Customers on the BitGrail exchange were paid from BitGrail Rep 2, not BitGrail Rep 1. This was explained by Bomber in the last chat he had with the Nano Developers. If the theft of XRB was happening from within the exchange dashboard the stolen transactions would only been linked to BitGrail Rep 2, but they weren't.
Several transactions happened between the hackers wallet and BitGrail Rep 1
How did the hacker gain access to the both the hot and cold wallets?
According to a reddit post by the Nanex exchange owner: if the Nano API is hooked up in the way that KuCoin and BitGrail were using it; sends are not idempotent. As a result, if anything in the system failed or resent a message for whatever reason, it would effectively "double withdraw". While the Nanex exchange owner implies this dissolves the Nano core team from an responsibility I would have to firmly disagree. The API is provided by the blockchain developers as a way for exchange owners to connect a node that will interact with a blockchain. While this may be a routine job for a larger exchange with a larger team of developers, it may have been more than what a smaller, one man exchange could handle.
The Nano team have helped the exchange in implementing the API for their node, they even have a team member dedicated to web services (APIs). So why didn't they help Francesco implement the proper API that would've prevented double withdrawals? And why did they tell people this exchange was safe when they knew it didn't implement the proper node to secure transactions from a duplicate spending bug. While some media outlets have tried to downplay the amount of XRB(Nano) that was sold on BitGrail, coinmarket.com shows their volume was over $45 Million daily in their $XRB markets. Nothing to sneeze at!
In his final conversation with the core team Francesco wanted one answer that the devs gave him. That was whether or not the timestamps could be faked. If they could, it's possible that many of the transactions traced to the hackers wallets that appeared to happen months ago could've instead happened during the brief timespan of the hack. And while the story left behind is one of months of insolvency the truth could be that it all happened in a flash.
Until we have more answers from the investigation into both sides the exchange and the Nano devs, it will be difficult to know exactly what happened here. Francesco has told people on twitter that he will try to recover their funds which is more than we've heard from the Nano dev team although this doesn't rule out any restitution plans of their own.
—
According to The Nano / Raiblocks Frontiers List the Bitgrail Wallet currently holds 4 Million Nano making it the 5th richest wallet on the network. Neither Bitgrail or Nano are offering any type of restitution or a formal explanation at this time. Both sides have issued statements and the theft was reported to Italian police, and published in Italian and global news sites.
double spend bug explanation: Bitcoin Talk Forum Post
NANO Wallet Images Following the XRB Paper Trail by Lee Diddy
follow me on twitter: @cryptostratton
Very good explanations!
thank you I'm glad you gained something from it! 🙏
Wow, best explanation so far. Makes sense to me. I'm disappointed in the way the Nano dev team is dealing with this situation.
Many people got suspicious when Francesco suspended withdrawals without prior notice for so called KYC regulatory reasons, and some accused him of effectively violating his own ToS. So when he then announced the hack, I can understand why people thought he was trying to do an exit scam. His way of communicating and quarrelling on Twitter with frustrated account holders did not help either.
For me it would somehow be more bearable if I lost my Nano to an external hacker than if I lost my nano to Francesco. But then, I can perfectly understand if someone who just lost most of his life savings disagrees with me on this.
appreciate it I'm sure we'll find out more as the hack is being investigated by the police!