Alert to Pando Community:Hack of Pando Rings

Pando Rings suffered from a hack yesterday on November 5th, 2022. The attacker exploited a vulnerability in Pando Rings price oracle and manipulated the price of sBTC-WBTCopen in new window (liquidity provider token of the trading pair BTC-WBTC on 4swapopen in new window) to attempt a theft of approximately $70 million worth of crypto assets. $21,877,098.03 worth of crypto assets including ETH, EOS and BTC were unfortunately transferred out from the attacker's two perpetrating Mixin wallets before measures could be taken. Though fortunately, among the transferred funds, Pando team was able to get support and assistance from our community and the transferred 2,022,662.9979 EOS (valuing at approximately $2,362,761.24) has now been frozen. And for the larger rest of the hacked funds (approximately at the value of $50 million) that are still in the hacker's wallets, we took as promptly measures as could be done, got assistance from Mixin Network and have had the funds frozen.

The mixin wallet IDs of the hacker are:

f059c0ee-cde3-3db9-9079-1aff956172c0

d3a935af-ccc4-3cca-98a0-b1b7a9cc53ca.

The fund's source is:

https://etherscan.io/address/0x204d4b8cfbc37382689fc235bba5a349accdb95e#tokentxns.

The funds are withdrawed to the addresses at:

ETH https://etherscan.io/address/0xd3f04cE2d37b182432e2f804F9913a02071CEa54

EOS https://eosflare.io/account/entofkdupows

BTC https://www.blockchain.com/btc/address/bc1qjnsx0sdxksh4w2azwu5ngr8sax46vcu52ljfcx

Services of Pando Rings, 4swap, Pando Lake and Pando Leaf have been temporarily halted to ensure no further vulnerabilities would be exploited. The time for resuming the service is not yet to be decided but we are working to fix the vulnerabilities as soon as we can. We will resume services once the security concern has been completely addressed.

We have taken measures including:

  • Collaboration with the security team SlowMist to trace the asset movements of the hacked funds

  • Tracking identity clues on the blockchain

  • In touch with the law enforcement agencies to track down the physical identity of the attacker

  • Working on fixing the vulnerability in the Pando Rings price oracle

We are committed to protecting the safety of users' assets on our platforms. For the Pando Rings users, please rest assured that if your assets are affected by the hack, we guarantee reimbursement of your assets in full.

We will provide further updates when available. Thank you all for your support.

Pando Team

November 6, 2022

A message to the hacker if you are reading this:

We have sent two messages from the address 0x3e99920e6c40971655e19ad0598454992210499f. There are consequences for your perpetrating the theft. Even not now, it will be only a matter of time. The communication channel is still open. Please be in touch and we can negotiate what can be done in exchange for the returning of the funds.

Updated at: