On July 7, the originally peaceful Bifrost community suddenly fell into panic.
When the project team checked the treasury account, they found some unusual transfer records: BNC tokens in the treasury were flowing to an unfamiliar private address at a rate of 100 each time. This address seemed to have the multi-signature script private key used to automatically replenish BNC transaction fees. The project team realized that Bifrost's treasury was suffering from a long-planned attack.
Soon, the news spread like a plague in the community. The price of BNC plunged 20% in an instant, and a huge red candle on the exchange's K-line chart pierced the user's eyes. And the terrible transfer number continued to rise: 100,000, 500,000, 1 million... In the end, when the black storm subsided, the Bifrost Treasury was horrified to find that a total of 6,631,252 BNCs had disappeared.
Suddenly, the peaceful community fell into chaos. The originally harmonious atmosphere was broken in an instant, replaced by waves of anxiety and uneasiness. Users discussed and spread all kinds of disturbing news, such as "the treasury was stolen" and "the coin price collapsed", which caused widespread panic. The sharp drop in the token price made many coin holders feel depressed...
Crisis response: recovery and replenishment of treasury funds
Faced with this sudden crisis, the Bifrost project team did not hesitate and immediately launched an emergency plan. They acted decisively and immediately abandoned and replaced the leaked private key, cutting off the possibility of hackers continuing to steal treasury funds. At the same time, the project also urgently froze some suspicious accounts through the governance mechanism and successfully recovered 3,351,153 BNCs. This undoubtedly gave the community a glimmer of hope.
However, the reality is cruel. Afterwards, statistics show that there are still 3,280,099 BNCs that cannot be recovered because they were exchanged for DOT or transferred across chains. This is a heavy blow to any project. But the Bifrost team was not crushed by the difficulties, but showed extraordinary responsibility. In order to compensate users for their losses and maintain the reputation of the project, team members have expressed their willingness to inject their BNC holdings into the treasury. This move shows the sincerity and determination of the Bifrost team.
Hard work pays off. With the joint efforts of the team, the balance of the Bifrost treasury has gradually returned to the level before the incident. As of now, Bifrost's treasuries on Kusama and Polkadot hold a total of 22,888,508 BNCs. This number is almost the same as before the incident. For those users who still have doubts, the project team has also made public the treasury address and invited everyone to check the account balance at any time to prove that what the team said is true.
With the help of the buyback plan, BNC prices stabilized and rebounded
With the successful recovery and replenishment of treasury funds, the Bifrost project team took prompt action to fully resume services that had been suspended due to emergency needs.
The technicians worked overnight to conduct a comprehensive security audit and fix vulnerabilities in the system. As a result, just a few hours later, the transfer and cross-chain functions on Bifrost were back online. Users can freely transfer assets in the Bifrost ecosystem or cross-chain tokens to other networks as usual. This undoubtedly gave the community a glimmer of hope, and many users even expressed their praise for the project's quick response on social media.
But the Bifrost team did not stop there. They knew that in addition to restoring services, they also needed to take practical actions to stabilize the price of BNC and restore market confidence. Therefore, the project announced a major news: the Bifrost Treasury will take out 10,000 DOTs to repurchase BNC through Hydration DCA.
This decision has sparked heated discussions in the community, and many users admire the sincerity of the project. You know, DOT is the number one popular token in the Polkadot ecosystem, and 10,000 DOT is a considerable amount. Bifrost is willing to take out so many DOTs to buy back its own tokens, which is enough to prove that they have a firm belief in the long-term value of BNC.
More importantly, the choice of Hydration DCA repurchase method also reflects the professionalism and wisdom of the team. Compared with a one-time large repurchase, the gradual repurchase strategy can boost the price of BNC while avoiding excessive market fluctuations. This will undoubtedly help rebuild user confidence and promote the steady rise of BNC prices.
With the joint efforts of the Bifrost team, the crisis was finally resolved. Services returned to normal, user confidence was gradually rebuilt, and the price of BNC returned to an upward track. As you can see, Bifrost not only has strong technical strength, but also has a sense of responsibility and action. This crisis has made the project more mature and trustworthy.
The key behind community questions: MPC and treasury security
As the storm gradually subsided, some careful members of the community began to raise questions. They couldn't understand: since Bifrost's wallet is managed by multiple parties (MPC), how could the private key be leaked, leading to a large outflow of treasury funds? This question really hit the nail on the head and hit the key point of the incident.
In response to everyone's doubts, Lurpis, the project leader of Bifrost, immediately explained through his personal Twitter account. It turns out that the Bifrost treasury itself is decentralized and does not rely on a single private key. But the problem is that the treasury is also programmable. And this incident happened precisely because of a script used to automatically replenish BNC transaction fees.
Lurpis further explained that this script was given special permissions to manipulate the treasury assets. As long as someone obtains the multi-signature private key of the script, they can exploit the loophole and use a specific method to transfer 100 BNCs from the treasury at a time. From this, it can be inferred that the leaker has a fairly deep understanding of the internal operation of Bifrost, which is how he was able to steal so cleverly.
Lurpis also frankly admitted that Bifrost did have some shortcomings in the call frequency and quota limit of the script. If these details could be more rigorous, perhaps this incident could have been avoided. He said that this was a painful but valuable lesson for the team. Next, they will learn from it, comprehensively review and optimize various scripts, plug loopholes at the source, and strengthen the security of the treasury.
Incident Investigation: Pursuing Responsibility for Private Key Theft
Regarding the cause of the incident, the Bifrost team said they are still investigating. Although there is no conclusion yet, the project guarantees the community that once the cause and target of the private key leak are found, they will take legal action and will not tolerate it.
While giving everyone some reassurance, the project team also emphasized one point: this incident was actually caused by the leakage of the private key of the off-chain script, and did not involve the security of the Bifrost on-chain assets and code itself. Although there were some problems off-chain, the on-chain is still as solid as a rock.
But then again, the hidden dangers of off-chain scripts should not be underestimated. The Bifrost team said that they will learn from this and comprehensively sort out the existing scripts and private key management mechanisms, plugging any loopholes and ensuring that every risk is nipped in the bud. Since the security of the blockchain is no small matter, both off-chain and on-chain must be strictly guarded.
This incident has undoubtedly sounded the alarm for Bifrost, but it has also strengthened their determination to improve their security system. I believe that after this "scraping the bone to cure the poison", Bifrost's security line will be more unbreakable. Behind this is the project's highly responsible attitude towards user assets and the care for the foundation of trust in the blockchain. Such a Bifrost is naturally more worthy of everyone's trust.
Lao Mao (Twitter): https://x.com/readonlm
Bifrost related links:
Website:https://bifrost.finance
Twitter:https://twitter.com/Bifrost
Dapp:https://app.bifrost.io
