Brinc Finance was attacked due to suspected private key compromise, resulting in the loss of 290 ETH (~ $1.1 million)

BEOSIN
Dec 14, 2021

--

BEOSIN Eagle-Eye detected that Brinc Finance was attacked due to private key compromise, resulting in the loss of 290 ETH (~ $1.1 million).

Brinc Finance confirmed on its official Twitter that it was attacked.

Attacker: 0x6B0b61323F6d77ef8A1a35D11FA877631d8f67Bb

Attacked Contracts: 0x1eC83036A1dbbd6e001bb216e31b8A259ebd8f3D

Transaction Hash:

0x09ae252d00122864070461e78810a3b91c4fb64076f72eb6dba775a80ca00df4

The attacker obtained the owner privilege of the contract through transferOwnership, and then extracted 14,308,348.652417053293895952 staked BRC and 3,202,933.299761877660655215 gBRC through the rescueTokens function in the contract, then converted to 290 ETH via swap.

Security summary: 1. rescueTokens function has high authority. Generally speaking this function should only extract other tokens sent to the contract by mistake, not staked tokens and reward tokens. 2. Project parties need to keep the private key properly to prevent loss.

--

--

BEOSIN

Blockchian Security · IDE · Beosin-VaaS · Formal Verification · SAS | China leading enterprise in blockchain security field