On October 3 and October 10, 2022 an attacker attacked RayStake by spoofing a stake key in the payment address, causing the vending machine to send rewards of a specific stake key to the attacker’s address.
The following transactions were made to withdraw funds from RayStake:
This type of payment address with someone else’s stake key mixed in it is called a “franken address”. The essence of the name of the address says that it is made up of two different seed keys.
You can find more details in the video by Andrew Westberg: https://www.youtube.com/watch?v=KULzovfWn-M
In the four transactions listed above, the attacker accessed a total of 5,554,113 XRAYs and 112 XDIAMONDs. He sold these funds through Minswap DEX and Sundaeswap for 412,253 ADA.
What we know about the attacker
The ADA received from the sale of the stolen funds is at two addresses:
Exploring the chain of inputs and outputs we found all the wallets involved in this attack:
- stake1u9spzsldtksx952l8wvlnzn3tg0nhgrwcns06rmnp0at6kqsqu5tc (875,515 ADA)
- stake1uywy7hh6u7vjf7z8q4d8lwknh3uz7vsrxltgx7ynljnp6rghsr6hr (65 ADA)
- stake1u9q03k8lk7229qg4l3kjz5lj94mjmdhxg3kycjcr5k3r2nqc3s0ep (109,922 ADA)
- stake1uyhlu6jdwpy08td36me03a4qxc2emx4ld4fmcx4smd2dx9ce52wcx (4,633,683 ADA)
- addr1vyzhn8qj85v5w4e6k7f5389cgz7svsyt933703sg83jq49skrcy4p (184 ADA)
It is worth paying attention to the wallet stake1uyhlu6jdwpy08td36me03a4qxc2emx4ld4fmcx4smd2dx9ce52wcx with 4,6M ADA (at time of publication Oct 15, 2022) because there were incoming transactions to addr1vyzhn8qj85v5w4e6k7f5389cgz7svsyt933703sg83jq49skrcy4p wallet from which the transactions from franken adresses were signed. Which indicates a direct link between the attacker and this wallet.
A list of such transactions:
An offer of settlement to the attacker
We value the culture of “white hat hackers” who help various information systems find vulnerabilities and fix them.
In view of this, we are willing to offer 20% of the 412,253 ADA you stole in exchange for closing this case.
We believe that 4,600,000 ADA of your funds is not worth a permanent criminal prosecution because of 412K ADA.
Especially since you left a lot of digital footprints that will help DPS Cyber Security keep you in their crosshairs.
Just send the 329,000 ADA (80%) you stole to addr1q9acqkgp6ah0xl6dt6gxtrmj8ee4ehnzfeq9rcuwrldalfsl94rky7hgymnt04zzmn696ksga7526ycypga0p0q5scfquhr65g and we will consider the deal closed.
Affected funds (5.5M XRAY and 112 XDIAMOND) will be returned from Dev Fund to LP / XRAY Staking Program which will be reflected in the final tokenomics.
As RayStake moves into DEX mode (Stage 2), we’re announcing global changes to the XRAY token and tokenomics (spoiler: total cap will be 20% less)!
Stay tuned! And never give up!