Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
According to the SlowMist security team, according to the BXH Stupid Kids team’s announcement on September 23, a total of $2.5 million worth of assets and 38 million BXH tokens were stolen the night before yesterday (September 21). According to the analysis and evaluation of SlowMist MistTrack, the private key of the original owner of the BXH VaultPool contract is suspected to be stolen, and the inCaseTokensGetStuck function is called to transfer the funds in the contract to the hacker's address. The hacker's address is 0x158f...e345. Up to now, the hacker has exchanged the stolen funds to the ETH chain across the chain, and further transferred all the stolen funds to Tornado Cash, with a total transfer amount of 1865 ETH. Attack method (per SlowMist): Private Key Leakage. Reported loss: $ 2,500,000.
- chain
- —
- protocol
- BXH
- bug_class
- private-key
- date_occurred
- 2022-09-21
- loss_usd
- $2,500,000
- source_id
- sm:bxh::2022-09-21