After careful planning for several days, the analysis of the Chibi Finance exit scam on Arbitrum, which resulted in the theft of 1 million US dollars.
After several days of planning, the Chibi Finance exit scam on Arbitrum was analyzed. The scam resulted in the theft of 1 million US dollars.
On June 27, 2023, the Chibi Finance team carried out an exit scam that resulted in over $1 million in losses for investors. The project exploited centralization risk, transferring user funds out of contracts owned by Chibi and converting them into ETH, which was then transferred to the Ethereum network via a cross-chain bridge and ultimately deposited into Tornado Cash.
The incident was the twelfth major event discovered by CertiK on the Arbitrum network in 2023, resulting in a total of $14 million in losses from hacks, scams, and exploits.
Event Summary
Although the Chibi Finance exit scam occurred on June 27, the scam was likely carefully planned days or even earlier.
On June 15, an external address (0xa3F1) withdrew 10 ETH from Tornado Cash. Two of the ETH were transferred to the Ethereum network via a cross-chain bridge. Four days later on June 19, 7.8 ETH was transferred again. Most of the ETH was sent to the address (0x1f19). However, on June 23, 0.2 ETH was sent to the address (0x80c1) to pay for gas fees to add Chibi pools and to create contract (0xb612), which would later be emptied of these Chibi pools.
- With the upcoming upgrade in Cancun, let’s review the key mil...
- Observations on the Practice of Decentralized Science (DeSci): Late...
- Web3 in Hong Kong: 1 year, 1 card, 1 new industry
Chibi continued to hype its project, announcing on June 26 in its Telegram group that it had been listed on Coin Gecko.
Image: Chibi Finance Discord announcement | Source: Twitter
However, on June 27, the setGov() function was called in every Chibi pool, setting the gov address to contract 0xb612. In Chibi’s contract, the gov address acts as the owner address. Chibi’s functions are protected by the onlyGov role, which identifies wallets that are allowed to execute these functions.
Image: setGov() transaction | Source: Arbiscan
After controlling the pools, the (0x80c1) address removed liquidity totaling 539 ETH. Another 17.9 ETH was obtained from the (0x1f19) address, bringing the total to 556 ETH.
Image: Funds being converted to WETH | Source: Arbiscan
The funds were then cross-chained to Ethereum via two transactions, with 400 ETH going through the Multichain cross-chain bridge and 156 ETH through the Stargate cross-chain bridge. A total of 555 ETH was deposited into Tornado Cash, which then sent two transactions of 0.5 ETH each to two different EOAs. One of the transactions went to a new wallet (0x9297), which still holds ETH at the time of writing. The other 0.5 ETH was sent to junion.eth, who had previously sent on-chain messages to the Euler exploiters as a thank you for their service.
Image: On-chain messages | Source: Etherscan
Attack Process
The exit scam was made possible by the centralized privilege of the _gov() role in the Chibi Finance contract. The attack began on June 23rd when an EOA (0x80c1) received 0.2 ETH from another EOA (0xa3F1) and created a malicious contract.
Image: Malicious contract creation | Source: Arbiscan
The next stage involved calling the addPool() function on multiple contracts owned by Chibi Finance.
Image: Calling addPool() | Source: Arbiscan
On June 27th, the deployer of the Chibi Finance contract called setGov() on multiple Chibi contracts, assigning the malicious contract created by EOA (0x80c1) to the _gov role. This role has privileges in the Chibi Finance contract that allowed the attacker to call the Blockingnic() function and move users’ funds out of the contract.
Image: setGov() transaction and example transaction | Source: Arbiscan
EOA 0x80c1 called execute() on the malicious contract to begin extracting funds. The malicious contract iterated through every Chibi Finance contract added via addPool() transactions on June 23rd and called the Blockingnic() function, pausing the contract and extracting its funds.
Stolen funds were then transferred to EOA 0x80c1.
Image: Stolen funds | Source: Arbiscan
These funds were then exchanged for WETH, transferred to Ethereum network via cross-chain bridge, and deposited into Tornado Cash.
Conclusion
So far, CertiK has recorded a total of 12 incidents, including the ChibiFinance exit scam, resulting in a loss of $14 million on Arbitrum in 2023. The Chibi Finance incident highlights the risks associated with centralization in the Web3 space. The project deployer abused their privileged position to steal user funds, then deleted all social media accounts, including the project’s website.
For ordinary investors, it is unrealistic to find and understand centralization risks similar to those in the Chibi Finance project through their own research alone. This is where experienced auditors come in.
