HitBTC publishes their DVPN wallet mnemonic seed in transaction memo!
Today the HitBTC centralized exchange suffered a loss of 40 million $DVPN tokens after somehow, presumably through human error, managed to make the grave mistake of writing their seed phrase into the memo field of a transaction sending a single $DVPN.
Initial assumptions are that this is no fault of the Sentinel project team or the chains security. Disappointingly HitBTC appears to have publicly blamed the Sentinel project for the loss. Then seem to think that showing other instances of user incompetency somehow makes their claims of issues with the technology somehow rational.
Now what I found interesting was what followed in the aftermath of making such a monumental mistake.
Here are the two fateful transactions first the seed in the memo tx then 13 minutes later whoosh goodbye 40,861,335 $DVPN.
Lets walk through the transactions for fun using Mintscan explorer.
First the thief quickly emptied the HitBTC wallet into their own Sentinel wallet:
Next they made an IBC transactions to move the tokens over to the Osmosis Zone:
After which they then executed three swaps to dump the $DVPN for $ATOM tokens.
Then another IBC transaction was used to withdraw their newly acquired 48,007 $ATOM to the CosmosHub chain.
Here is where the funds sit now. Interestingly it looks like the thief attempted to re-IBC the $ATOM back to Osmosis Zone to do some more trading but failed 3 times in a row.
This is where things stand as of now, I’m sure the Cosmos community will be keeping an eye on these funds and monitoring what happens with them in the future. Stay safe out there! Remember NO SEEDS IN A MEMO!!!!
Apparently someone was impressed enough to send the attackers cosmos address half an atom so they could drop them a note in the memo:
