Rogue miners submitted phony price data that tricked decentralized stablecoin network PegNet into turning a small wallet balance into a $6.7 million stash.
At approximately 05:00 UTC Tuesday morning, four mining entities – which together comprised as much as 70 percent of the PegNet hashrate – submitted data that artificially inflated the price of a "pJPY," a stablecoin pegged to the price of Japanese yen, according to a core developer going by the username "WhoSoup."
Beginning initially with a wallet balance of $11, the group pushed the price of pJPY up to $6.7 million and then transferred it into pUSD – PegNet's USD-linked stablecoin. They then tried (unsuccessfully) to liquidate as much as possible on spot exchanges and distribute the remainder in hundreds of different wallet addresses.
The network relies on miners to submit price data collected from a series of oracles and APIs to keep stablecoin prices pegged to their fiat equivalents. Each block requires up to 50 data points, and the protocol discards the 25 submissions furthest away from the total average. Most use the third to fourth default sources, but miners are also able to submit their own arbitrary values.
"WhoSoup" told CoinDesk this isn't normally a problem as the system works to incentivize miners – with a block reward – to submit price data in line with those of other submissions.
Over Discord, the developer explained the miners essentially performed a form of 51 percent attack by submitting 35 of the top 50 price submissions, skewing the average in their favor and meaning that the remaining 15 price submissions were discarded as outliers.
With the fake exchange rate, the miners converted the inflated pJPY into pUSD so the overall wallet balance rose from $11 worth of pJPY tokens to well over 6.7 million pUSD which, assuming accurate price data, should be worth $6.7 million.
Tuesday's attack lasted about 20 minutes and apparently did not affect other users' funds.
David Johnston, who as well as being Factom Inc. chairman is also one of the main figures behind PegNet, told CoinDesk that group had no control over transactions and conversion of other users, but could only confirm price data. "This attacker seems to have only affected their own wallet," he said.
Johnston added that the attacker had not been able to transfer much of the pUSD into the PegNET's native PEG cryptocurrency, as the protocol's software doesn't allow quick conversions. "This person was able to generate a bunch of pAssets, but not able to convert them into PEG and dump on the market," he said.
The way PegNet is configured means the identity of individuals controlling the mining entities cannot be known. While there were four mining entities that worked in unison, it isn't clear whether these were all controlled by the same person or whether this was the work of a group.
But there are still some unanswered questions. The attacker has since reached out to PegNet and claimed they were only trying to "pentest [penetration test] the network and code logic," to identify potential vulnerabilities and notify core developers.
They have also destroyed all the stablecoins in question, sending them all to the PegNet burn address at roughly 14:00 UTC Tuesday.
Both Who and Johnston refused to be drawn on the motives behind the attack. "I can't speak to intent of this person just their actions," Johnston said. "Their actions were to generate the pAssets and then destroy those pAssets. [It] seems like more of a stunt than an attack given the short time it lasted and their actions since."
The attacker's decision to burn the assets seems to mirror the actions of the hacker who drained dForce of $25 million at the weekend and then handed back stolen assets after learning Singaporean authorities had their IP address.
Johnston said PegNet would now review some of its oracle mechanisms, to ensure they are robust enough to withstand these sorts of attacks again in the future.
"I fully expect more sophisticated attacks over time. As values in DeFi networks rise there is ever more reason to attack them," he said. "The key is building systems like PegNet where individual users are not affected by the actions of others in the system. So because PegNet has no reserve or collateral held in a pool, there were no common user funds to drain."
PegNet isn't certain yet whether the miners were able to offload any of the pUSD on to cryptocurrency exchanges.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.