Tryvium Incident Report

PancakeSwap Listing – 2022-11-23

DISCLAIMER: The recent exploit did not affect trading on Kanga exchange, which continues to operate normally.

Hello everyone,

As you know, unfortunately today 23th November at 16:00 CET around, during the $TRYV PancakeSwap listing, Tryvium has suffered a hack.

This is an Official Statement where the team is going to explain what happened in detail, during the failed PancakeSwap listing process.

The beginning

The Tryvium Pancakeswap listing was scheduled to be on the 23rd of November 2022, at 16:00 CET. It was planned by the team a month before the listing date and it involved the creation of a Liquidity Pool (from now on LP).

The community would have benefit from the listing with the creation of a new market on which perform trades, along with the existing one on Kanga Exchange (from now on Kanga)

To prepare for the launch, a smart contract was deployed to act as a proxy between the Tryvium deployer wallet at the address 0x8b48Af3a5B965F94dE7d1870bf2194c2798e4183 (from now on Tryvium Deployer or simply Deployer)
The proxy contract (from now on Proxy) was programmed with the features of the addLiquidity feature, plus an additional anti-bot system which should have prevented the sniper to snipe the bots buys and sells, favoring a clean and stable market which would have grown organically through the time.

What happened?

Approximately at Nov-23-2022 01:38:06 PM +UTC, the Proxy has been deployed at the address 0x1796E11973972E6782D3500eeb76B76338ee1016 with the transaction with hash 0x4679f0ea5fc40b0243b2335f6a0bfb262475800068ae0655a0552d51c6207df7 from the Deployer address

Approximately at Nov-23-2022 02:22:51 PM +UTC, the deployer address sent 3.000.000 TRYV tokens to the Proxy contract as first part of the LP with the transaction with hash 0x63f2a5ad434e0f5294d135ba0b212ce316fa2613aa11605460085831ece9bb42

Few seconds after, approximately at Nov-23-2022 02:23:06 PM +UTC, the deployer address sent 20.000 BUSD to the Proxy contract as second part of the LP, with the transaction hash 0xfbb958f916fa3601824296c0f40b30e5d1f23bf4d0f79a3ffa904f0e8292c05c

At this point the LP was ready to be deployed at the specified time, which should have been approximately at Nov-23-2022 03:00:00 PM +UTC

Unfortunately the hacker got us here and exploited the contract.

The exploit and the hack of the Proxy contract

The hacker, owning the address 0x31dae3b4015e244d3acbf8f3ef05efec0fd51f0b, sent a transaction with the exploit at the proxy contract.

The exploit transaction occurred approximately at Nov-23-2022 03:00:50 PM +UTC, and the transaction hash is 0xdbde12a4cece01dad69e585e8dacac557ff5de8b4808c4ccf234706766aaf841.

The result of this has been the stealing of the Tryvium proxy contract LP tokens to the hacker address and the immediate creation of the LP on pancakeswap (this is why at the beginning trade was actually possible without problems)

At this point the hacker owned Tryvium deployer LP Tokens and sent a new transaction to remove the liquidity.

The transaction occurred approximately at Nov-23-2022 03:03:14 PM +UTC and has a transaction hash of 0x5bafe8372cf9a788f697299387cf28eb6b6c3d476a70a9aa076624d60d059e95

At this point the hacker had the accumulated funds of the LP of that time, a total of 25,594 BUSD and 2.360.226 TRYV.

The hacker then, approximately at Nov-23-2022 03:08:35 PM +UTC with the transaction hash of 0xace62706eeca9fd6e8792187560c276ec920c1fc446562106c81aaaa9f353256, transferred all the BUSD to a new address 0x0bd1ffbc5aee98194b093cbe631c270a3002d523 (from now on Hacker Address 2)

With this new address, approximately at Nov-23-2022 03:28:05 PM +UTC with a transaction hash of 0x39906a590afa192c6d9fae569bc76bd6fe0208f7e40a3eddb119e430ed8cdf98, Hacker Address 2 swapped all BUSD with BNB.

At this point the Hacker Address 2 has approximately 86.83 BNB

After this point the hacker Address 2 started sending the BNB to Tornado Cash contract, de facto washing away the BUSD liquidity.
Everything can bee seen at https://bscscan.com/address/0x0bd1ffbc5aee98194b093cbe631c270a3002d523

At this point the BUSD of the LP are considered lost, so we reached binance support to ask them to blacklist the hacker addresses.

What did the Tryvium team do to solve / mitigate the exploit?

The transaction was executed by the hacker address and reverted approximately at Nov-23-2022 03:00:59 PM +UTC with the transaction hash of 0x88417d5bf6eeefe1b18c50165b1c7100c2f4193e1347b11b75016f170ba1b075.

Due to this, the Tryvium team acted immediately, realizing that LP ownership was lost.

The first things that have been done were the immediate start of the investigations and the add of more liquidity to the market pair

The Tryvium developers sent 4 addLiquidity transactions manually with Pancakeswap UI 

The transactions have the following hashes and started from Nov-23-2022 03:32:17 PM +UTC to Nov-23-2022 03:43:38 PM +UTC

  1. 0xfb30349a6838260a00177bebb60283308581c2078c5455f94bca9df86f9cd847 (failed)
  2. 0x1e41a13a4a071c6718aad80c6af2c079707f8a082b3a372f7d5ba776d3b5ecda
  3. 0x42d31b750b5c19ac5d554cb55f87c1fa9b4aa252331662971b681576b66f5301
  4. 0xc9c23c3c8513ada7e13ff1e3c0ee0e676483db4943591d93727e01cee475ac33

The new LP provided was 5000 BUSD and the equivalent in TRYV tokens, at an average price of 0.006 BUSD/TRYV approximate on pancakeswap.

This gave the team more time to investigate while keeping stable the token condition.

After the investigations came to a reasonable conclusion, the additional LP has been removed approximately at Nov-23-2022 04:00:35 PM +UTC with the transaction hash of 0xba7d66199a2e59343cdf778753115c261bfd6c2f9f713619488678c51816f991

The post-mortem balance

After the whole situation, a total of 25.594 BUSD have been lost due to this exploit (that includes the 20.000 BUSD that were in the LP at listing time)
With the transaction occurred from the hacker address approximately at Nov-23-2022 03:39:50 PM +UTC with the transaction hash of 0x00efbc4ec9e3f22bf1a94a99e764d1ad8d9354eb2535829fbb90723bef73d63d, the hacker returned the deployer address the total of the stolen TRYV tokens, so the TRYV are back in possession of the Tryvium team.

To our Community 

Now more than ever, we need you close to overcome this bad event that has hurted us unexpectedly.

First, we have decided to offer bounties for all the white hackers who can help us to investigate deeply about the PancakeSwap hack.

You can contact us at [email protected]

We’d like to emphasize that Tryvium wants to get out stronger than before continuing with development and marketing that until now havv been really successful and brought the project to the brilliant point to which we are now.

We’d appreciate it if you could contribute to help us using our booking platform tryvium.io, making a reservation for your next trip with Tryvium.

It would be really appreciated and helpful.

We will keep you updated about every next step.

We would like to remind our community that the exploit did not affect trading on Kanga, which continues to operate normally.

Thanks for your patience and support.

Tryvium Travels Team

Leave a Reply

Blog su WordPress.com.

Su ↑