Via @Michaeltalkhere ($BPET dev team lead ) on X regarding the
#PvP contract
#exploit As announced, I would like to disclose the details of the exploit and how did we get the money back.
Firsly, the reason of the exploit was there was a bug in ‘request swap from
#POTION to
#BPET ’ functionality that makes the exploiter be able to withdraw excessive amounts of $BPET tokens from the PvP contract after staking their own tokens.
Below are some noticeable withdrawing transactions the exploiter made.
(https://arbiscan.io/tx/0x058b8808e721f68c01c62ad70687f38f39d749bfc9d0e8f6be839c3af603dec6)
(https://arbiscan.io/tx/0x1ad1f7536e2d91cc5aeef6e29f948ee73fa760a482b0455ca78adade83c4ef53)
(https://arbiscan.io/tx/0x500713e7c025d5ab71e2446069a46a60009ef8060d2537bc4b29296c6f76f9d7)
Right after becoming fully aware of the exploit, we did 2 things
- Checked out to see if the exploiter’s addresses can be mapped with any Twitter profiles of any xPet users (and we found the user mapping with one of the exploiter addresses)
- Reached out to all partners in our network who can pour in the helps. They were explorer sites, centralized exchanges, privacy mixers, offramp tools, and security firms.
To be specific,
#Etherscan team helped us to tag all 4 addresses related to the exploiter on Ethereum on Arbiscan as ‘xPet exploiter’. Thanks for that, the exploiter addresses were visibly exposed to and closely-watched by the public. All the centralized exchange, privacy mixer, and offramp tool teams helped to take close notice In case any of the exploiting address would have interactions with centralized exchange Hot wallets, privacy mixer contracts, or offramp tool depositing addresses. The security firms has helped us follow all, even smallest, onchain traces from the exploiter
In short, we had the combined efforts from multiple parties to closely monitoring the exploiter's movements and ensure that exploiter doesn’t have any chance to get the stolen funds mixed or obscured.