Hacker Tales: How Did BiFi get BuFu’d out of $2.25MM?

BiFi got BuFu'd

Let’s discuss BiFi.

A few weeks ago, an attack was launched against BIFROST’s BiFi service. The hacker was able to steal 1,852 ETH ($2.25 million) from the project by exploiting a security hole in the service’s address management system.

If you are going to dabble in ponzi schemes, you better know what the hell you are doing because there is always a better scammer. Here is how one such better scammer took advantage of the flaw:

BIFROST is a cross-blockchain bridge that requires a mechanism for monitoring deposits on one blockchain to allow withdrawals on another.

When a user deposits Bitcoin into the service, the address issuing server generates and digitally signs an address for that person. The address is then accepted and functional on the BiFi platform after this digital signature is verified. The user may then deposit money to that address and transfer assets across the cross-chain bridge.

This method relies on the address issuing server’s private key, which is then used to generate these digital signatures. The attacker was able to gain access to this key, allowing them to produce a genuine digital signature for a deposit address of their choosing.

When the hacker sent bitcoin to their deposit address, BiFi service interpreted it as a deposit into the service. This gave the attacker access to a fake balance in BiFi that allowed them to drain the coffers with bogus withdraws. Because the deposited address was under control of the attacker, they were able to keep the phony BTC deposit as well.

Leave a Reply