Dear resepected users,
during regular inspection process on February 13th, 2020 (GMT+8), Hotbit has detected that the balance of MWC on Hotbit platform remained abnormal. Considering the security of users’ assets, Hotbit has suspended the withdrawal function of MWC immediately, and meanwhile contacted MWC team for further inspection. The amount of abnormal assets involved in this issue is: 3674.946865253+86644.463524027=90319.41038928 MWC.
After the problem occurs, Hotbit technical team conducted immediate and repeated verification on all backup records on Hotbit platform (due to the fact that MWC token is based on private chain, all transactions can only be verified on the wallet). During February 13th, 2020 - February 19th, 2020 (GMT+8), Hotbit team has conducted several rounds of communications with MWC team, and MWC team has provided Hotbit team with a regular verification method. However, by adopting the regular verification method provided by MWC team, Hotbit team has not detected any abnormal issues regarding the problem, and meanwhile, MWC team also stressed that all Hotbit’s transactions were valid. Considering the fact the accounts still remained in imbalance status, Hotbit continued the communications with MWC team regarding the fact that the wallet could not settle all finished transfers. It was not until February 20th, 2020 (GMT+8) that, based on Hotbit’s analysis and feedback, MWC team developed a new verification tool called txs-bulk-validate for Hotbit’s technical team to detect the problem. After conducting verification by adopting the new verification tool, Hotbit found that all formerly verified and valid transactions were verified as invalid under the verification process conducted by the new tool, which then finally revealed the cause of the problem was that all transfers involved in the double spend attack were calculated and settled in the account balance due to the fact that MWC713 wallet cannot distinguish invalid transactions. After Hotbit increases the block confirmation number to 60 on January 8th, 2020 (GMT+8), the problem regarding the settlement of invalid transactions by the wallet occurred once again, which showed that MWC713 wallet cannot distinguish true transactions, and that invalid tokens will be settled and calculated. Despite the fact that Hotbit adopts a sound risk control mechanism, and that Hotbit’s audit team conducts second round of inspection on every transaction, the part of the transactions involved in this problem was still not detected by January 7th, 2020 due to this bug in the wallet.
It appears that several attack attempts have already occurred to MWC blockchain previously. The current issue regarding the double spend attack of MWC has reflected that there is a technical bug with MWC713 wallet, as the current double spend attack took the advantage of MWC713 wallet due to the fact that the existing bug of the wallet prevents the wallet from confirming invalid transfers, which leads to the fact that all invalid transactions have been accepted and saved in the wallet as verified and valid transactions, and that all such non-existing assets became invalid and caused a loss to the platform’s assets.
Due to the fact that the balance of MWC713 wallet remains floating, the platform’s balance cannot be accurately displayed. By January 9th, 2020 (GMT+8), Hotbit’s technical team contacted MWC team, informed them the issue and closed the withdrawal function of MWC, and MWC team requested Hotbit team to resume the deposit and withdrawal function of MWC by the time that they may have already, or already known that MWC had been attacked. Also, MWC team has provided guaranty for the security of the assets under the account changelly31337@pm.me and requested Hotbit to put this account in the white list of Hotbit’s audit process for the convenience of rapid withdrawal and settlement, and according to MWC team’s statement, the account holder of the account changelly31337@pm.me has already joined MWC team. The abovementioned user has withdrawn 527,799.9401MWC in total. (If MWC team was already aware of the problem, it could possibly leads to the fact that the project team is intentionally taking the advantage of the existing bug of MWC wallet from the loss of all users’ assets on Hotbit platform).
Considering the fact that the bug of MWC wallet caused relevant loss, Hotbit requested MWC team to compensate the loss. However, MWC team refused Hotbit’s request. Instead, MWC team stated that the loss of Hotbit was due to the fact that the number of transaction confirmations on Hotbit platform was too low (after January 8th, 2020 GMT+8, Hotbit has increased the number of confirmation blocks to 60). However, after repeated verification by Hotbit team, according to the time, date and historical data, after Hotbit team increased the number of block verification to 60 on January 8th, 2020 (GMT+8), the invalid verification occurred again, which caused a further loss of 36938.221619844 MWC. What’s more, even if Hotbit conducts on-chain verification now, all transactions involved in the double spend attack are currently still valid, which means that MWC team has not solved the problem with the bug in their wallet until today.
MWC team stated that they suffered two double spend attacks on January 7th, 2020 and January 13th, 2020 respectively, and that MWC team intend to attribute the loss caused by the bug of their wallet to the double spend attack and that Hotbit has not conducted sufficient block verification. According to all relevant information above, their logically-flawed statement is trying to avoid their own technical bugs.
Hence, according to the response and announcement of MWC team, Hotbit announces the following response and complements:
1.“We came to the same conclusion that you came to, that the funds were lost in the two 51% percent attacks of 1/7 and 1/13. But why would we compensate you for those losses? We advised you to increase your confirmations from 6 confirmations on November 22 in this telegram channel and you ignored our message.”
There is no connection between the loss and the number of increased heights of confirmation. Due to the existing bug in MWC713 wallet, the wallet cannot verify invalid transactions, which caused MWC blockchain to be attacked by double spend attack, and thus the loss occurred. No matter how Hotbit changes its heights of confirmation, MWC713 wallet will not verify any incorrect transactions. Even if we roll back all the transactions involved in the double spend attack, the wallet still shows that all relevant transactions are valid. Also, according to the communication with MWC team on November 22nd, 2019, the team only “suggested” Hotbit to increase the height of block confirmation, but did not insist that Hotbit must do it, and the team did not inform Hotbit of any possible problems or consequences it may cause.
Hotbit has already increased the height of confirmation from 6 to 60 on January 8th, 2020 (GMT+8) (if any of our users have conducted relevant transactions by that day, the users may check their transactions in their accounts). However, all invalid transactions were still been settled by that time.
Also, after contacting MWC team on February 13th, 2020, Hotbit only manages to obtain the latest verification tool txs-bulk-validate by February 19th, 2020. During February 13, 2020 - February 19th, 2020, Hotbit team has contacted MWC team repeatedly regarding the issue that the problem cannot be verified. Furthermore, before February 13th, 2020, every time Hotbit tried to communicate with MWC team, MWC team only provided solutions to Hotbit team such as reorganize the data, upgrade the node, recover the node and recover the wallet, and there was neither verification tools for Hotbit team to diagnose the problem, nor any information sent from MWC team that informed Hotbit regarding the possible problems.
2.“We also advised you to regularly sweep funds and run check which you also ignored. These actions would have prevented the situation you find yourself in now and if you would have communicated with us we would have been able to give you even more advice about how to prevent this situation.”
There is no connection between cold, hot wallets of Hotbit platform and the double spend attack caused by the bug of MWC wallet, as Hotbit adopts cold and hot wallets as the method of its own asset management, and that the reason that Hotbit changes its hot and cold wallets is to prevent the assets from being stolen by hackers. However, the situation now is that, the wallet itself has not been stolen, but the assets are lost. Just as what we mentioned before, the problem is due to the fact that the existing bug of MWC713 wallet leads to the consequence that all invalid transactions were settled in Hotbit’s platform. Apparently, MWC713 wallet cannot verify invalid transactions. Also, considering the fact that, before the double spend attack issue occurs, MWC mainnet had only been launched for a short period of time, which means that the security level of MWC mainnet is yet to be testified.
3.“In addition, we sent the following email to Hotbit on January 14, 2020:
We also received no response to this email.”
Just as Chris said, after receiving the email, Hotbit BD team has immediately forwarded it to Hotbit technical team. After listing MWC on Hotbit, Hotbit BD team has replied all relevant emails and solved all relevant issues in a timely manner. Also, Hotbit technical team has communicated with MWC team regarding the SWEEP issue on Telegram on January 19th, 2020, which proved that Hotbit did not neglect this issue.
Also, the communication did not solve the problem regarding the fact that MWC713 wallet cannot verify invalid transactions.
4.“The MWC chain has performed flawlessly according to the consensus rules since the launch of mainnet on November 11, 2019. Nevertheless, Hotbit halted MWC trading a few days ago afterhaving had withdrawals and deposits closed for several days. They contacted us on February 13 2020, stating that they were missing about 70,000 MWC and that they thought it had happened between February 11 and February 13.
We agreed to help them with the investigation to determine what happened. After reviewing the data, it appears that on January 7th 2020 (the date of the first malicious mining attack) and January 13th (the data of the second malicious mining attack), Hotbit credited around 86,644 MWC in deposits that never confirmed on the blockchain. We believe the vast majority of these deposits were made by the miner behind the attack. Initially, when the reorgs on January 7th, 2020 occured, we contacted Hotbit immediately and asked them to confirm whether or not they had any losses. They told us at the time, they did not have any losses and reopened trading.”
The above message is the beginning of the announcement published by MWC team, in which the team mentioned relevant time and amount of asset, which is also mentioned by our statement above. Also, Hotbit has never stated that the problem occurred during February 11th, 2020 - February 13th, 2020. Hotbit only discovered the problem on February 13th, 2020 and contacted MWC team immediately afterwards.
5.“It seems that Hotbit did not understand how to confirm which deposits were actually confirmed on the blockchain and which were not and also did not store all required data to fully analyze the situation in detail. They also did not ask us for any assistance in the analysis until February 13th, 2020.”
Hotbit has so far listed more than 400 types of tokens and almost 800 transaction pairs, and is currently running several dozens of different types of mainnet, and this is the evidence. Hotbit does not accept this kind of questioning. Also,
- Regarding the issue of whether certain deposits are confirmed or not, Hotbit team was initially contacting with @Christopher, and the confirmation regarding the settlement of assets was based on MWC713, which was confirmed by both parties by that time. After the problem occurs, Hotbit has always been contacting with MWC team for their support to find out all invalid transactions and providing feedback regarding the latest situations. Just as we mentioned above, MWC team only provided txs-bulk-validate tool by January 19th, 2020 for Hotbit to verify the problems effectively.
- Hotbit has its own data backup system. During the communications,
Hotbit has provided MWC team with the analyzed results of all
transaction records and verification of tools. The data provided by
Hotbit was detailed enough to figure out the problem with the
transactions, so what other data does MWC team requires?
- The reason that Hotbit requests MWC team to compensate all losses occurred to Hotbit platform is based on sufficient evidences and proofs. Apart from that, according to the token distribution plan released by MWC team, Hotbit believes that MWC team is capable of compensating the loss caused to Hotbit platform.
- Hotbit has once detected that several Hotbit accounts has conducted
frequent withdrawals of MWC in large quantity within a short period of
time, and such activities have triggered Hotbit’s risk control system.
However, during Hotbit’s regular risk control inspection process, MWC
team has repeatedly help the users who hold these accounts to contact
Hotbit team and asked Hotbit team to release the withdrawals for these
users. What’s more, during this process, MWC team has even questioned
the fact that Hotbit requested these users to provide their KYC
information. After several rounds of communications with MWC team, MWC
team has agreed to provide guaranty for the asset security of one of
these users who triggered Hotbit’s risk control mechanism. However,
after explaining and clarifying the definition of guaranty to MWC team,
MWC team refused to provide guaranty for the abovementioned user.
Instead, MWC team has emailed Hotbit team and stated that they only
agreed to provide guaranty for another user, which is the user who holds
the account mentioned at the beginning of this statement. Considering
the problem of the double spend attack, Hotbit team would like to urge
MWC team to openly clarify the owners of all these accounts mentioned
and their intentions of withdrawing large amount of assets within a
short period of time.Before February 13th, 2020, as soon as
Hotbit detects any abnormal activities, Hotbit would close all deposit
and withdrawal functions and contact the project team, and Hotbit has
taken many snapshots to prove it, so how can MWC team state that Hotbit
did not ask for any assistance in the analysis until February 13th,
2020? Also, before the problem was solved, it was MWC team who
repeatedly requested Hotbit to resume the withdrawal function of MWC.
What’s more, by the time Hotbit detected the problem and asked for support, the response that Hotbit has received from MWC can also be seen in the snapshot:
6.“We had reached out to Hotbit on several occasions to state our concerns about their low level of confirmations required for deposits well before the attacks of January 7th, specifically on November 22, 2019 the team recommended to Hotbit that “I’m a little concerned that you allow so few confirmations (6) on deposits. We have a low hash rate and someone may try a double spend attack. I would suggest increasing it.” We received no response to this message.
The problem occurred has no connection with the increased number of confirmation heights. Please refer to our first point above.
7.“In addition, we sent the following email to Hotbit on January 14, 2020:
We also received no response to this email.”
Please refer to Hotbit’s detailed response above in point 3
Supplement:
- Hotbit hereby provide all records of the wallet and the verification
tool as follows for all users to download and check. All relevant time
spots are mentioned above in this statement as well.
Introduction to verification tool and instructions:
https://github.com/mwcproject/mwc713/blob/master/docs/bulk_transaction_validation.md
Verification tool:
https://github.com/mwcproject/mwc713/releases/tag/3.0.0-beta.2
Look at the attachment for the full record of the MWC wallet (you can view it after decompression by installing the decompression tool 7z)
Also, according to sufficient evidence found by Hotbit recently, it is highly suspicious that the latest verification tool provided by MWC team might not be 100% effective and accurate either. Hotbit team found that there are two backup wallets for the same transaction. However, according to the verified result of the verification tool, one wallet is true, and the other is false.
- The reason that Hotbit requests MWC team to compensate all losses occurred to Hotbit platform is based on sufficient evidences and proofs. Apart from that, according to the token distribution plan released by MWC team, Hotbit believes that MWC team is capable of compensating the loss caused to Hotbit platform.
- Hotbit has once detected that several Hotbit accounts has conducted
frequent withdrawals of MWC in large quantity within a short period of
time, and such activities have triggered Hotbit’s risk control system.
However, during Hotbit’s regular risk control inspection process, MWC
team has repeatedly help the users who hold these accounts to contact
Hotbit team and asked Hotbit team to release the withdrawals for these
users. What’s more, during this process, MWC team has even questioned
the fact that Hotbit requested these users to provide their KYC
information. After several rounds of communications with MWC team, MWC
team has agreed to provide guaranty for the asset security of one of
these users who triggered Hotbit’s risk control mechanism. However,
after explaining and clarifying the definition of guaranty to MWC team,
MWC team refused to provide guaranty for the abovementioned user.
Instead, MWC team has emailed Hotbit team and stated that they only
agreed to provide guaranty for another user, which is the user who holds
the account mentioned at the beginning of this statement. Considering
the problem of the double spend attack, Hotbit team would like to urge
MWC team to openly clarify the owners of all these accounts mentioned
and their intentions of withdrawing large amount of assets within a
short period of time.
Known as the exchange with the second largest number of token types listed all over the world, Hotbit has accumulated abundant experience to understand the various types of technical and promotional difficulties encountered by each new type of cryptocurrency asset during their early stages. Hotbit intend to mutually grow with all projects into world-class exchange sand projects. As a matter of fact, in case that MWC team had adopted a more transparent and active manner to solve the problem, the loss caused by the current security problem of MWC could have been minimized as much as possible. However, we regret to say that, throughout the overall process of this problem, MWC team not only lacks the transparent and active manner, but also refuses to undertake any responsibilities when holding huge amount of MWC assets.
Hotbit will continue the communications with MWC team regarding the problem. However, before the problem is solved, Hotbit will terminate the trading, deposit and withdrawal of MWC until further notice, and meanwhile issue relevant warnings to all relevant parties in the industry regarding the security level of MWC mainnet.
Hotbit would like to invite all relevant users to enter Hotbit’s special Telegram channel “MWC Security Issue in Hotbit” for any updates with this issue.
Hotbit sincerely apologizes for any inconvenience caused!
Hotbit team
Feb/26 /2020
- Hotbit hereby provide all records of the wallet and the verification
tool as follows for all users to download and check. All relevant time
spots are mentioned above in this statement as well.
Comments
0 comments
Article is closed for comments.