Syscoin has been hit by an unusual attack caused by a bug in its wallet. The attackers then sent illicitly obtained coins to Binance and sold them, pushing the price of 1 SYS to as high as 96 BTC. The BTC they received was then withdrawn, prompting Binance to temporarily cease trading and to reset all APIs, which are believed to have facilitated the attack.
Syscoin Gets Pumped, Binance Gets Rekt
96 BTC ($600,000) is a lot of money to pay for anything, not least a single altcoin that normally retails for a few cents. The first signs that something was astir emerged on Tuesday evening (EST) when Syscoin noted that it had detected unusual activity on its blockchain. It was initially suggested that a block was mined that somehow created 1 billion new SYS. Given that the total supply is set at 888 million, this ought to have been impossible. It is now understood, however, that the attackers were simply moving the same 40 million SYS around, as reported by a member of the Syscoin team. As such, the attack was not a hack in the conventional sense of the word, even if the end result was the same.
In recent weeks, a number of blockchains have been compromised before the funds were sent to Binance to launder, but 51% attacks were usually used, as was the case with Zencash. Intriguingly, the Syscoin hack came just one day after blockchain security protocol Blue claimed that half of the top 50 cryptocurrencies were vulnerable to “destructive flaws”. It promised to make the information public, before claiming that it had delayed the release to allow exchanges to make security preparations.
Binance Cancels All APIs
When cryptocurrency is stolen or otherwise appropriated through mischievous means, Binance has become the preferred destination for culprits seeking to cash out. That’s because it’s one of the few high liquidity exchanges with no KYC, making it easy to withdraw coins anonymously. It is widely assumed that Binance will soon enforce KYC, not least to protect itself from attacks such as these. It has been claimed that as much as $50 million of BTC was withdrawn from Binance, but these reports are as yet unverified.
— CryptoTutor⚡️ (@CryptoTutor) July 3, 2018
Binance, for its part, has responded promptly to the hack, and communicated regularly with its users, as has been its trademark during times of crisis. Customers of the exchange woke up to the following email:
Binance CEO CZ promised a full post-mortem after the exchange re-enabled trading on Wednesday morning. In an incident recap, Binance has promised to rollback irregular trades and offer zero-fee trading to irregular trading. The exchange tweeted the news accompanied by the #SAFU hashtag, in reference to a rising crypto meme spawned by a previous CZ typo in which he assured users that “funds are safu”. In March, Binance was hit by a similar API-based attack, on that occasion using Viacoin. Using compromised APIs, the attackers set ridiculously high sell orders on the victims’ accounts, dump their illicitly obtained crypto on them and then cash out. Decentraland’s MANA cryptocurrency also soared dramatically on Binance in a move that’s believed to be linked to the Syscoin API attack.
Anatomy of a Hack
Telegram channel Whatblock has published what appears to be a fair summation of the Syscoin hack, writing:
1. [Hacker] spent a very long time collecting API keys through malware.
2. Look for a REALLY low liquidity shitcoin with an extremely thin order book on the ask side and find SYScoin.
3. Mine a lot of SYS coins and Take over SYS mining power to prevent rollback of the chain.
4. Get full access to an account on Binance that has a very high trade volume and regularly deposited and withdrew extremely large amounts of BTC (To avoid suspicion).
5. Send SYS (mined earlier) to this Binance account.
6. Place ask orders of SYScoin at VERY high rates at the very top of this thin order book.
7. Use BTC of Binance users that use API to buy all SYS in the orderbook.
8. Withdrew 1000 BTC in 7 different withdrawals all to the same BTC address.
While Binance has earned plaudits for its prompt response to suspicious trades, it is evident that it will remain a prime target to attackers so long as they are able to deposit and withdraw crypto with anonymity and impunity.
Update: Syscoin has since released a statement asserting that its blockchain “has not been hacked or compromised in any way”. It appears to have been a bug in an upgraded wallet that the team had just released. In a lengthy technical explainer it writes: “Syscoin released their 3.0.6 Qt wallet 10 days ago; it was a mandatory update fixing a governance superblock fee calculation bug which meant that once a superblock that contained transaction fees was hit, it would not validate clients moved onto the 3.0.6 wallet (the hotfix) from 3.0.5 or whatever they were on.”
It continues: “At approximately 1:00pm PST a superblock was created and Syscoin’s decentralized governance payouts were issued, causing some miner nodes to halt….We later realized the fee rate for [merge] miners has been set to 0.001 Sys per kb — an order of magnitude higher than default. As a result, transactions seemed to not be processed and some equated it to an attack during the same time as a large price fluctuation.”
“Large block output values of 544 million SYS and 1.2 billion SYS begin to appear on the Syscoin block explorer. This was due to the fact that majority miners had higher fee policies and the smaller miner picked up transactions when it won a block. We saw hundred of transactions bunched up in these blocks with higher output values. The atypical thing about these blocks at this time were that someone was using the top address of 46 million Syscoin (we speculate that this was Binance’s Syscoin exchange wallet) to send withdrawals of Syscoin. The transactions were chained as Syscoin allows up to 25 chained unconfirmed transactions…this was a non-issue and also unrelated to activities of the price on exchanges, but obviously a chained transaction set of a 46 million Syscoin output could quickly add up to a large amount, possibly much larger than the existing supply which is [what] precisely happened in these blocks.”
“We recognized the large 46 million Syscoin used to send out funds and chained as unconfirmed transactions as suspicious activity and immediately requested a halt to trading on all exchanges to protect users…Binance reset API keys and resumed trading as did all other exchanges once we had identified that exchanges were not under attack. Users reported that 7000 Bitcoin were moved out of Binance around the same time. We are unaware currently of a public statement about this linking it to the activities of Syscoin.”
“Syscoin Team identified that transactions were not being mined simply because of miner policy and miners not having upgraded to 3.0.6. The transactions were going through just were taking a little longer (1 hour, instead of 1 minute). These events coincided with each other and were the cause of a dramatic 12 hours for the crypto-community….To conclude: the Syscoin chain was not attacked and is fully operational as per design.”
Do you think API-based attacks such as these are likely to happen again? What can exchanges like Binance do to mitigate the threat? Let us know in the comments section below.
Images courtesy of Shutterstock, Twitter, and Binance.
Need to calculate your bitcoin holdings? Check our tools section.