TurtleNetwork (TN) fund loss on Vindax.com
In the most unfortunate of events, especially on the 2nd anniversary of Turtle Network, Vindax.com suffered from a loss of $TN funds on it’s exchange. Vindax.com is a Vietnam-based cryptocurrency exchange that has one tradeable TN pair with USDt, active from Oct ’19.
As a community we believe in open and honest discussions and disclosures, and understand the pain that community members feel in having lost funds, in true form we have detailed the events below.
1: Vindax Notice alert to Turtle Network Core Team;
Wednesday April 15th 2020 @gordobtel received the following Telegram message from @VinDAXSupport;
“Hi, kindly check this file for an error report and we need the support from your side“ with an attached document”. and supplied the following Incident Report document of events at Vindax.com below;
2: In Summary:
A ‘Coin Validation Attack’ occured on Vindax.com on the 14th April ‘2020 – Coin Validation Attack being ‘Verification of AssetID missing thereby allowing any asset from a specific network to be credited‘. This exploit was from a misconfiguration on the Exchange for verifying $TN deposits.
The following details will try explain the events;
- Note: Vindax Exchange Wallet: https://explorer.turtlenetwork.eu/address/3Ju2df8mD1nrDtXYkdckdYU34fkBuapwXvA
- Note: Bad Actor Wallet on Vindax: https://explorer.turtlenetwork.eu/address/3Jr66U1RvrSn25NQpQ1Ve38bceACY2Fc544
- Note: Bad Actor Wallet on TN (Sent from to Vindax): https://explorer.turtlenetwork.eu/address/3JknAXs1oDSDQcRw6P7xxCrNVkeugLb8WUb | Alias “1009”
2.1 Fake ETH asset created on Turtle Network, sent to Vindax and credited:
(http://statistics.turtlenetwork.eu/assets/QYdPXaHaGWpoGina9hnYgetGH7cGmQVUW94QngnPVtt) Fake ETH asset (Etheereum) was sent to Vindax.com using the following https://explorer.turtlenetwork.eu/address/3Jr66U1RvrSn25NQpQ1Ve38bceACY2Fc544 address
- TX 1 (14.04.2020 01:24:17): https://explorer.turtlenetwork.eu/tx/BZkoojNJcxWkdDbrNch7E3kEbHzfuNnYv32FpDCueBR3
- TX 2: (14.04.2020 13:28:53): https://explorer.turtlenetwork.eu/tx/CJh3C43ZpRnt13Jqb9Wp5BvLLtNywE9wVAcguB4WTszY
- TX 3: (14.04.2020 16:19:00): https://explorer.turtlenetwork.eu/tx/G6P5VegVq2n9GMgEnt1YFTXUeov6bRmdvoght56S54qK
- Total: 490 000 fake ETH (Etheereum)
2.2 Vindax credited bad actor with TN
Vindax.com credit the bad actor exchanging from fake ETH (Etheereum) to TurtleNetwork (TN) seen in the screenshot below from Vindax exchange, they automatically converted ‘Etheereum’ token to ‘TN’ coin in the same account.
Vindax.com stated “At the time we did the integration for your TN, there was no Assets which is based on TN, thus, we didn’t add any filters relevant to asset:”, even though its clear on http://statistics.turtlenetwork.eu/assets/ that the first asset of ‘test’ was created on 04/18/2018 on Turtle Network.
2.3 Bad actor withdrew $TN from Vindax.com
Withdrawal details totals supplied by Vindax.com in the screenshot below;
Note: Total TN of initial 484 000 TN loss initially noted by Vindax in the IR report, subsequently checked/reviewed and confirmed to be 330 717 TN as the total loss.
- As per Vindax.com TG message 11:21:37 on 15/04/2020 “We have Locked account firstname.lastname@example.org, who try to withdraw incorrect asset, then we get back some TN , that’s why now 324,003”
- As per Vindax.com TG message 11:55:22 on 16/04/2020 with a document that included “Total Withdrawal = 23000+5000+165000+21000+100+116652+35 – (7*5 fee) = 330752. Total Loss = 15 – 330,752 = -330,737 TN”
- As per Vindax.com TG message 12:09:50 on 16/04/2020: @VinDAXSupport agreed to corrected numbers “330752 – (7*5 fee of 35) = 330 717″
Note: Bad Actor withdrawal of $TN to 2 address from Vindax.com:
- Address 1: https://explorer.turtlenetwork.eu/address/3JkXw8QTPAQddTqgd3gtJ838GbSfE9sPhnx
- Address 2: https://explorer.turtlenetwork.eu/address/3JknAXs1oDSDQcRw6P7xxCrNVkeugLb8WUb
Total funds sent to bad actor addresses: 330 752 TN
- Funds withdrawn to 3JkXw8QTPAQddTqgd3gtJ838GbSfE9sPhnx
- 164 995 TN on 04.2020 13:52:59 https://explorer.turtlenetwork.eu/tx/5m8em6NYzpunAj8AZyjPFzZB7AUSMxStmsqeJBRkZKJn
- 4995 TN on 04.2020 15:47:59 https://explorer.turtlenetwork.eu/tx/4dTteEEtdgACUkoBmVtqaCxYYvX6jrdUYX7RfWNUK31j
- 22995 TN on 04.2020 16:35:59 https://explorer.turtlenetwork.eu/tx/8c3dR6YXuDDxgCHWhtWPZVXsu4UBCXKorMk1cjxX4XVK
- Funds withdrawn to 3JknAXs1oDSDQcRw6P7xxCrNVkeugLb8Wub
- 30 TN on 13.04.2020 23:51:59 https://explorer.turtlenetwork.eu/tx/A5Nwq6cMfCKi7JmZk7uDZtzavgXv5vGUWzaAXWMpr1nM
- 116 647 TN on 14.04.2020 13:52:59: https://explorer.turtlenetwork.eu/tx/3MZXpAzK4YzUoBDSopFQeiwetNsj1pfwsUAtGS53F4C1
- 95 TN on 14.04.2020 03:50:59 https://explorer.turtlenetwork.eu/tx/2Gn4uvLBYYfzSSaTKhyC6KiY4mnrK7JsuBuyGcEAhV6B
- 20 995 TN on 04.2020 13:24:59 https://explorer.turtlenetwork.eu/tx/7qbmojSPvEoU7BFDfAWgMiJEHptR8JaB6E2Z3QErBzP3
2.4 – TN Withdrawals stopped in Vindax.com
- [Vindax.com]:TN Withdrawal’s stopped: 10: 52 pm 14th April 2020. in Vindax time GMT +7
- [Vindax.com]: Locked account email@example.com
2.5 – TN Alert to community
News Alert sent to Turtle Network News channel & main channel 09:09:46 am 15/04/2020 “Vindax.com has been hacked & TN funds have been stolen on that exchange
The result is a 484k TN loss on Vindax. We are not sure if and how vindax is going to solve this issue. Withdrawals of TN currently disabled.”
#Notes: (Currently waiting for feedback from Vindax.com on the below)
1: [Done] Amount of TN withdrew from Vindax don’t match the blockchain tx’s. Confirmed 330 717 TN as the total loss
2: [No Explanation] 214 169 TN deposited over same period – 3Ju2df8mD1nrDtXYkdckdYU34fkBuapwXvA Vindax account wallet has strange incoming transactions/deposits during this same period from multiple wallets. This is odd considering the TN community don’t use this exchange much especially over this period, the amount of TN and random addresses depositing.
3: [Done] Fixing of the verification issue needs to be completed & confirmed tested/completed.
Reply from Vindax.com on 16/04/2020 8:57:11: yes . fixed
4: [DONE] Amount of TN funds available after the incident, to be confirmed. (Vindax wallet shows 118.27639798 TN)
Reply from Vindax.com on 16/04/2020 8:57:24: 118.276 TN
5: [Unresolved] There is a request from Vindax.com, for TN payment, to make them whole of 330 717.
– Vindax.com have demanded that the Turtle Network team contribute the full stolen 330 717 TN funds, before the market is open again.
– Vindax have taken no responsibility in the theft of the TurtleNetwork (TN) coins on there system!