BitMart founder and CEO Sheldon Xia said users affected by the hack will be reimbursed.
2/4 BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed.
— Sheldon Xia (@sheldonbitmart) December 6, 2021
Xia today confirmed the hack at the crypto exchange, stating that it was a security breach caused primarily by a stolen private key that compromised two hot wallets.
With this single private key, the hackers were able to steal a total of about $196 million worth of cryptocurrencies from the two wallets.
Of this, around $100 million relates to tokens on the Ethereum blockchain, while the remaining $96 million relates to tokens on the Binance Smart Chain.
The exchange’s other wallets were not compromised.
It was discovered that the hacker who managed to steal the funds then used the DEX 1inch aggregator to exchange the stolen tokens for ETH, which he then routed through the Tornado Cash mixer to try to make them untraceable.
Xia stated that the company will use its own funds to cover the losses caused by this theft and compensate users.
He also stated that they still need some time to resume full operations, as they are still working on security procedures.
However, the goal would be to reactivate deposits and withdrawals as early as tomorrow, 7 December 2021.
All exchanges have, in addition to offline cold wallets, hot wallets where they store tokens that users can withdraw to their personal wallets. These hot wallets are of course accessible to anyone with a private key, so the hacker only needed to get hold of the private key of two of the exchange’s hot wallets to get hold of the tokens stored there.
Moreover, in recent months, there have been a number of somewhat similar hacker attacks, often targeting DeFi protocols. BitMart is a centralized exchange, but hot wallets function in the same way whether they are storing CEX deposits or funds from DeFi protocols.
Often, as in the case of BitMart, these are actually relatively simple attacks, because they simply intercept the private key, perhaps stored somewhere online, and then use it to transfer funds to public addresses they own.
Unfortunately, it is not uncommon for hackers to manage to steal tens, if not hundreds of millions of dollars in tokens and cryptocurrencies in this way, which gives them a strong incentive to try again.
The post BitMart hack: users will be reimbursed appeared first on The Cryptonomist.