On 10 September 2021 a recently established Polygon farm, AFK System, stole over 12 million USD of users' funds and deleted any footprint on the web and social media. Funds in AFK farms, linked to AFK two Masterchef smart contracts
were emptied and laundered via Tornado Cash. This is a summary of the events with relevant links.
From OBELISK AUDIT TRANSCRIPT at https://twitter.com/ObeliskOrg/status/14364938981809315881. On August 21, AFKsystem contacted Obelisk to audit their blockchain contracts. The audit began in early September.
2. During the audit we found multiple instances of errors that could be used maliciously. As part of the audit process, a first draft was sent to AFKsystem with proposals to solve the problems.
3. On September 11 AFK (September 10 UTC), AFKsystem withdrew the funds deposited in the middle of the audit. It is important to emphasize that a project in the middle of an audit process is still risky.
4. The following transactions show how the contracts were violated, and the deposited funds were sent to the following virtual wallet:
The following is the chain of events (time in UTC):
a. On August 22, the portfolio that created the contracts for the AFKsystem platform (0x0a301bdf8c02d19d8204712d9ef10fa38c6109e7) designated the portfolio 0x9da2d6227af424b786bc9fd1264bbdf833361c43 as the owner to develop the service that provided MATIC funds (100 investments and provided it with investments).
This is common since the creator portfolio is usually a personal portfolio and the one that is left as the owner with access to the contracts is blocked with a “multi-signature” system that requires the agreement of all developers.
b. On September 10 at 7:28 UTC, the owner portfolio, through a series of malicious contracts (such as 0x693c90b087969d2714b9e26d0beac1920abb8e37), appointed the contract 0x3FE14e93CbBaD3FBe11182E639B3e9075 (https://polyb83BE9075) as administrator. / address / 0x3fe14e93cbbad3fbe11182e639b3e9075db83dbe).
Here is one of the transfers of this change as an example:
https://polygonscan.com/tx/0x8888a3a0ba6e60e04c4662596bddee94e77827e7a9274b532c1f1ebbc3ab2b23* setGov (address _govAddress)
c. By interacting with users' funds through said contract, they were able to execute multiple transactions in one step, withdrawing almost all of the users' funds without them having time to do anything.For example, one of the transactions withdrawing user funds and sending them to the original portfolio that created the contracts (the onehad received funds from portfolios linked to the Singapore exchange MEXC):
d. It is possible to follow the trace of alterations introduced, in the contracts where the funds of the users were deposited, by means of the malicious contracts through the Tenderly application:
https://dashboard.tenderly.co/tx/polygon/0xa4dafd21de907f594344876dd43977e2f03ab541085495ea5010a0c5d53fe470/debugger?trace=0.0 and The owner of the contracts (0x0a301bDf8C02d19d8204712D9Ef10fa38c6109E7), at 7:40 UTC in the afternoon began to sell all the stolen funds and convert them to ETH.
F. Subsequently, they sent all the 2,277.20 ETH obtained by those sales (approximately $ 8 million) to the 0x9d97b6864015427ab2b887373f9975a53a8802e7 wallet:
https://polygonscan.com/tx/0x35532a75e8183016071a1fd0ca4558b6c2e91f91ac34eda52f7bec6665a987be that they immediately sent to the final wallet 0x56eb4a5f64fa21e13548b95109f42fa08a644628:
g. Funds were then migrated them to the Ethereum blockchain (along with the ETH received from the portfolio that owns / manages the contracts 0x9da2d6227af424b786bc9fd1264bbdf833361c43), for a total of 2,345.86 ETH:
https://polygonscan.com/tx/0x623a02f546969e71d71a9534d1c8667f01bb69a438515914a41776a90be967f8 where they were deposited in the tornado.cash app (for private transactions) and was flagged as a participant in the theft by the etherscan.io company:
h. The owner of the contracts (0x0a301bDf8C02d19d8204712D9Ef10fa38c6109E7), also sent $ 2.8 million of DAI to the portfolio 0x56eb4a5f64fa21e13548b95109f42fa08a644628:
https://polygonscan.com/tx/0x0c3b08bdb20c622434eff98e8f61df449ecc0ddaa6e15cf0121cb691eb27bac8 that they also migrated them to the Ethereum blockchain
https://polygonscan.com/tx/0x69b8537971d63f0ad09b0c54f56a946234dcec926b258761008056d609e65ace And laundered the funds via tornado.cash.
This could be one of the many cases of hacks exploiting smart contract vulnerability in DeFi protocols , as we got used to read in the last couple of years. However this time is different, and in a way more concerning, for the following reasons:
1. The cons planned the con job from the beginning, i.e. it was not a money grab caused by some unforeseen event but a pre-meditated con job, executed during several weeks.
2. The cons managed to approach, interact with, and onboard representatives from:
a) Polygon protocol and even convinced them to promote their platform during an AMA on social media, during which AFK cons were quizzed and asked friendly questions by Polygon's representatives, building trust in users and other platforms on Polygon;
b) other farms/lending protocols (among which Mai.finance, Gravityfinance.io, Iron.finance, PolyCat.finance and others), in some cases coopting moderators from these platforms to work as moderators on their Telegram Chat, thus generating a cascading trust validation effect, from the main protocol (Polygon) to other leading platforms running on the protocol, to users of such platforms, and even the platforms moderators themselves, who in some cases invested their personal money and got wrecked together with their own users. I have personally interacted with some of these moderators, and they told me about their sense of guilt and regret for involuntarily participating in the con job.
3. The cons used psychological influencing and suggestive techniques both in the AFK Telegram Chat, which I obtained and studied for signs of such techniques, and to follow-up after the con job was executed, in order to monitor and leading Telegram chats joined by victims, gather and study data on the victims, and make sure to slow/delete/obfuscate evidence or tracks that may lead to their apprehension by Law Enforcement. I was myself muted and banned on one of those chats, after starting questioning lines of arguments and techniques employed by self-appointed anonymous chat moderators.
4. The cons did not develop a complex, previously unknown exploit of smart contracts, but rather openly introduced malicious smart contracts in order to perform an "emergency withdrawal" of funds, thereby draining all the pools/vaults on the platform. Such vulnerability was spotted by the auditing firm AFK System had initially retained, only to cause AFK to promptly fire the auditing firm and shortly thereafter pull the trigger on the money. The combination of the anonymity Telegram affords, suggestive techniques playing on investors' greed, and low level hacking techniques was enough to pull the job and even obfuscate some of the tracks left by the cons.
5. The cons went to a great extent to market the platform with existing polygon platforms users, coopting representatives of such platforms, in order to generate trust and create a blind spot in users.
6. This is at least the second con job pulled by this team, because an Ethereum address links them to another job performed some time ago. Clearly they are enjoying it and will probably continue until they get caught.
DeFi crime is evolving from high-level hacks pulled by experienced solidity developers exploiting smart contracts vulnerabilities, to plain vanilla con jobs, building trust in key stakeholders in order to feed on the greed and lack of experience of DeFi users.
Together with victims who have already been to the police, I have prepared a template of a police report, which can be used as a draft by Law Enforcement authorities and filled in with victims' own personal data. I have linked to the template here, this is for the perusal of victims of this scam and also victims of other scams, who can modify it to take into account different events.
The template can be found here.
I invite all victims of this and other scams to take the time and go report scams to the police. Law Enforcement is using advanced tools today and most cases can be solved. It is our collective responsibility to keep DeFi clean, safe and scam-free.