Rescuing Schrodinger’s Cat in DeFi Dark Forest

A Real-World Million Dollars DeFi Incident Response

Victor Fang, AnChain.AI, 2020/10

Image for post
Image for post
Schrodinger’s Cat in DeFi Dark Forest

1 — The million dollar cat lost in quantum state

“Victor, there? ”t

  • Zero wallet balance. 4 ETH has been wired out to the hacker’s wallet.
  • The bigger deal: This hacked wallet has staked $1.2 Million ERC20 USDC stable coins in a DeFi smart contract, for yield farming!!!
  • Case 2: Hackers don’t know. But they will realize it if we interact w/ the Ethereum dark forest.
Figure 1: Schrodinger’s cat in quantum mechanics
Figure 1: Schrodinger’s cat in quantum mechanics
Figure 1: Schrodinger’s cat in quantum mechanics

2 — Profiling the dark forest demon: hacker attribution

The world’s most prestigious Incident Response (IR) team, FireEye Mandiant, lives by a work of cybersecurity gospel, a combination of bible and playbook authored by CEO Kevin Mandia’s crew [1].

  • Blockchain forensics: Skill set by investigating hackers’ related blockchain transactions and flows. CISO investigation tool visualized the hacker’s on-chain activities. We don’t see much trait of smart contract interactions, other than token transfers.
Image for post
Image for post
Figure 2: CISO tool shows the 4 ETH from our client’s wallet has been wired by hackers.
Image for post
Image for post
Figure 3. Probability density function of hacker’s multiple wallets’ activities
Image for post
Image for post
Figure 4, Remediation strike zone, in IR bible [1] pg. 537

3 — Planning the rescue

Sun Tzu’s Art of War, “know yourself and your opponents” is actually hacker attribution, which lays down the assumptions for our response plan.

Image for post
Image for post
Figure 5, Plan A
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Figure 6, Plan Z, the “Kamehameha” in Dragon Ball Z.

4 — Plan-Z: the surgical precision remediation

My coworker in a research hospital, Dr. Anderson, a surgeon, never drinks coffee a day prior to his next surgery because caffeine impacts his fingers. He once grinned at me, waving his hands: ”I need surgical precision! ”

Image for post
Image for post
Figure 7, Plan Z.
Image for post
Image for post
Figure 8, Game theory analysis.
Image for post
Image for post
Figure 9, Ethereum gas price in 2020
Image for post
Image for post
Figure 10: $12.8 Gas fee for express lane unstaking.

5 — Rescuing Schrodinger’s cat

2:00 PM, the million dollar DeFi Schrodinger’s cat rescue mission began after two rehearsals.

Image for post
Image for post
Figure 11. Successfully withdrawn $1.2 Million USDC, confirmed within 30 second with 200 Gwei gas fee.

6 — Learning the lesson

  • “Prepare for the inevitable incident”, Part 1 in IR bible [1], as recommended by FireEye Mandiant, and AnChain.AI. You won’t be as lucky as Catherine, that happened to know our investor. Budget for it, and make sure at least one Incident Response team is on your contact list.
  • Beware of social engineering. Catherine got hacked via a phishing website that allured and stole her private key. She’s not alone, as seen in figure 1. Don’t assume you are always smarter than the hackers. The cliche: You should under no circumstances give away your private key or passphrase, those 12 or 24 words, remember?
  • My 3 questions for anonymous DeFi teams: when hundred of million dollar assets staked in your liquidity pool, whom do we contact for authentic customer support? Who do we suggest better UX user experience? Who to insure investors’ assets at stake like FDIC? I don’t see how DeFi is the future banking, unless I get compelling answers on these 3. What do you think?

Acknowledgement:

I would like to thank Daniel Robinson at Paradigm, Sue Xu at Amino Capital for great feedback.

Reference:

[1]. Jason T. Luttgens, Matthew Pepe, Kevin Mandia, “Incident Response & Computer Forensics, 3rd Edition”, ISBN:9780071798686, McGraw-Hill Education, 2014

Blockchain data analytics firm providing security, risk, and compliance solutions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store