Harbor Protocol Exploit Breakdown Incident Report

Dear Harbor Community,

The past few days have been testing for all of us as team and community members of Harbor protocol. We would like to share with you an update on the status of our efforts to track down the exploiter and trace the funds. Outlined below is an incident report on how the exploit was carried out, and what actions we plan to take as a team going forward.

We would also like to take this moment to give a special shoutout to Rarma, Ray Raspberry, Andres Monty, the MEXC team, and the Simpleswap team who have stepped up selflessly to provide their knowledge and assistance during this time. Their selfless dedication during our hour of need is a profound testament to their unwavering commitment to serve and uplift the community. We are deeply grateful for their timely assistance and commend their spirit of community service.

The Exploit:

The exploiter manipulated the prices of three collateral assets, Luna, stOsmo, and wMATIC on cSwap which is an AMM built on Comdex. The exploiter inflated the prices of these assets on cSwap. Harbor protocol on the Comdex chain, which is a protocol for minting the CMST stablecoin, accepts Luna, stOsmo, and wMATIC as collateral to mint the CMST stablecoin. The total loss of the exploit is currently estimated to be ~ 250,000$.

The oracle on Harbor was using cSwap as one of the sources of price feeds. The exploiter inflated prices and borrowed CMST from these three asset vaults at higher collateral prices. Harbor has a stablemint that works similarly to PSM on Makerdao, essentially users can mint CMST 1:1 with the stablemint using other stablecoins. He used the borrowed CMST to swap it 1:1 into the axl.USDC from the stablemint or swap the CMST to stablecoins on Crescent.

After the last Oracle incident, we recognized the need for certain changes that would require a chain upgrade. While waiting for the appropriate timing for this upgrade, we continued to rely on cSwap as one of the source for price feeds. This turned out to be the point of vulnerability that the exploiter leveraged.

The exploit was primarily carried out by two Comdex addresses:

1. wMATIC and stOSMO vaults exploits were done with the following address: https://www.mintscan.io/comdex/accounts/comdex1sma0ntw7fq3fpux8suxkm9h8y642fuqt0ujwt5
2. Luna vault exploit was done with the following address:

https://www.mintscan.io/comdex/accounts/comdex1y70akwhauhxaxf5fl70qk3t76c84ulmsff8j9g

Detailed sheet IBC token IN and OUT from both the addresses during the exploit:

https://docs.google.com/spreadsheets/d/1RVPYb9V7D8nMq24LrszXniFmBmJZAOr6DD1T6CHlWqQ/edit?usp=sharing

Continued Ref 1.

The exploiter borrowed CMST from wMatic and stOsmo vaults on Harbor. Subsequently transferred the CMST to a Crescent address. On Crescent, the CMST was swapped into axl.USDC in small batches.

Associated Crescent address: https://www.mintscan.io/crescent/accounts/cre1sma0ntw7fq3fpux8suxkm9h8y642fuqtvmrf8w

The axl.USDC was then transferred to an Osmosis address: https://www.mintscan.io/osmosis/accounts/osmo1sma0ntw7fq3fpux8suxkm9h8y642fuqtqgruy3

One of the txn link:

https://axelarscan.io/transfer/12A5AA88F24B347CFBEC19A2F7F431B32627B686DD8A4D84D93B228B51484EF7

From this Osmosis address, most of the funds were sent to the Secret network address:

https://www.mintscan.io/secret/account/secret1tdfqfeqtc5494mrf4hvpm38084x7t8tn7utjgl

Token transfer list of the address:

https://axelarscan.io/address/osmo1sma0ntw7fq3fpux8suxkm9h8y642fuqtqgruy3?tab=token_transfers

The Secret Chain is a privacy-enabled blockchain, once the funds enter into Secret they become untraceable. The two transactions where funds were sent into Polygon ended up in a null account.

Ref 2.

Luna vault exploits trail:

The wallet was initially funded with the Osmosis address:

https://www.mintscan.io/osmosis/accounts/osmo1y70akwhauhxaxf5fl70qk3t76c84ulmsxakq2d

Terra wallet used to fund: https://chainsco.pe/terra2/address/terra1z4j50ht84x6t95cygx6hvqrpundd5crk7e3ywr?page=2

The exploiter then manipulated Luna’s price on cSwap and drew CMST from the vaults.

Sent CMST to Crescent and Swapped into axl.USDC from the pool.

Associated Crescent wallet:

https://www.mintscan.io/crescent/accounts/cre1y70akwhauhxaxf5fl70qk3t76c84ulms2wk4fj

The axl.USDC from Crescent is then sent to the Osmosis wallet which was initially used

https://axelarscan.io/transfer/D49E4CFA301A1364A5995023FFD67B27713DDDAE43779880D1B5948A77C0D8DF

The Osmosis wallet then sends the axlUSDC into Secret.

https://axelarscan.io/transfer/18C7E162F25616E76F364ADC3E05F784F14798DCFA62FCD1A6AAA47C2725C440

Secret wallet address: https://www.mintscan.io/secret/accounts/secret1uyys3cmv0w2lg7v8vk9e0wjap883mxc0cg8xlu

On further investigation of the Osmosis wallet, we identified an axl.USDT transfer from ETH mainnet on 29th July via Axelar.

https://axelarscan.io/transfer/9DB3C064563CBE8314F85058E6D9228F02E97133605B4A3B87D68FE259EF6078

ETH address used to deposit axl.USDT:

0xE74e4dA80f0799f99AF5E2B5E01190065A7C8e49

ETH address has most of the funds sent to the Secret network but has a few connected txs linked to MEXC and Simpleswap which are CEX addresses.

The ETH address has some txns to MEXC, below are the tx links:

• https://etherscan.io/tx/0xcee58ed93579ff68c65ce0451c395dcf40b2c385b2b9da752ca05502d9475aaf
• https://etherscan.io/tx/0x9974c01da1ec97a2cab031238f82034cfc80a5688b4cd4a9a368849b0b22a7e7
• https://etherscan.io/tx/0xe1e0e14c0c896e6d20451a36c54fd872aec32767edaf573cfab00e274d34a18e
• https://etherscan.io/tx/0x0a9a482ee946f9c1f1da033ca6ad89df94f57dd46763f34f41d1862b1fe739ff

Txns linked to Simpleswap on ETH mainnet:

• https://etherscan.io/tx/0xed17ec731619c52aaefdcb84483f07f8a5c593ccb51bdfc81671c9cda4e01324
• It was an ATOM-ETH swap on Simpleswap:

https://atomscan.com/transactions/FED546F7729985232D33859B6CEF931027D501023CF0488A959D81CD61EF2091

The attacker has leveraged the Secret network to divert the funds, making it challenging to trace them once they transition into the Secret network. We’ve reached out to MEXC and Simpleswap to pinpoint the perpetrator and resolve the situation.

This incident highlights the intricate, multi-step process utilized by the exploiter, spanning several protocols and blockchains, to mask and move the exploited funds.

Update on stATOM liquidation refunds

Refunds from the stATOM vault were set to be released in the upcoming chain upgrade. However, to facilitate the transfer of CMST from the collector to the impacted users, a chain upgrade is necessary. We were waiting for the timing for the chain upgrade where multiple upgrades can be implemented at once during a single chain upgrade.

However, recent challenges have arisen due to the current situation. We are still committed to fulfilling that promise in our next chain upgrade and making them whole.

Next Steps

Due to the selfless help provided by the community members, we have been able to narrow down the search to a couple of wallet addresses.

Failing to hear from the exploiters directly, we have begun pursuing them through a legal route involving law enforcement, who will work closely with MEXC and Simpleswap to help track the funds down.

Once again, we have made several sacrifices and fought countless battles to get Harbor protocol where it is. We are fully committed to putting in our all to track the exploiter and trace the funds.

We will keep sharing updates on our progress in this journey further and are always open to any and all help the community may be willing to offer at this time.