BigONE reported an incident affecting the project’s hot wallets. However, unlike most thefts from hot wallets, this didn’t involve compromised private keys. Instead, an attacker with access to the project’s backend infrastructure exploited that access to change critical logic and drain funds from the protocol.

Rather than stealing keys, the attackers exploited their access to change how the project’s account and risk control operated. Instead of validating withdrawal requests, the modified code automatically approved them. As a result, the attacker was able to submit a malicious and invalid withdrawal request to the project’s smart contracts and have it approved, draining value from the project’s vaults.

BigONE’s multi-chain deployment meant that compromised backend infrastructure could lead to substantial losses. Once making it possible to sneak malicious withdrawals through the project’s approval process, the attacker exploited this vulnerability across Bitcoin, BSC, Ethereum, Solana, and TRON. In total, an estimated $27 million was stolen from the project.

Initially, the project claimed that it was undergoing maintenance as it investigated an attack. Later, this was updated to admit that a third-party attacker had gained access to the project’s hot wallets. The project also specified that private keys were not compromised, that the attack vector exploited by the hacker had since been closed, and that all affected users would be fully compensated.

Unlike many off-chain attacks on hot wallets, the BigONE hack didn’t involve compromised private keys. Instead, the attacker exploited access to the project’s centralized transaction validation and approval systems to undermine the security of the system as a whole. Changes to approval logic enabled them to exploit all of the project’s smart contracts across five blockchains.

This incident underscores the importance of securing every component of a DeFi project’s environment and workflows. The attacker was able to access key systems and modify critical code to remove transaction validation, all without being detected by the organization until $27 million was drained from the project’s hot wallets.

Halborn offers consulting services to help organizations model potential attack vectors and develop defenses against top threats, both on-chain and off-chain. To learn more about securing your project and assets with Halborn, get in touch.