Developers Forum for XinFin XDC Network

Circularity Finance
Circularity Finance

Posted on

Important Security Alert To All XDC Projects

Dear XDC Community,

56 days ago, a malicious smart contract was deployed on the network, leading to a significant security breach. The deployed smart contract, intended for token burning, is as follows:

Contract Address:
Xdc413642978d8637ca3763ba33ffb704335152040f

Deployed By: xdcE148F3427024f8e3d07FfF26Df26652724618478

This contract has drained our CIFI liquidity pools and exploited a bug in our code, extracting value from XSWAP as well. Consequently, both CIFI and XSWAP pools have been compromised.

Until we can fully identify and address the problem, we are unable to halt this exploitation.

It's crucial to note that many other projects are currently at risk. The transaction history of this malicious contract shows that tokens such as SRX, FXD, PRIME, PLI, BTCx, and many more are in the path of this potential attack.

Image description

We are committed to improving our code and felt it necessary to inform the community to ensure the ecosystem's safety. We deeply apologize for any inconvenience or losses this may have caused and hope this transparency helps prevent similar issues in the future.

We are actively working with security experts to identify the root cause with greater clarity. For now, we believe the situation is contained, but we will disable the swap functionality within our ecosystem until the issue is resolved.

We appreciate your understanding and support as we navigate this challenging situation. Together, we can work towards finding solutions and ensuring a more secure network for all.

Sincerely,

The Circularity Finance Team

Discussion (5)

Collapse
pro100skm profile image
Mr. Popovich

1) Could you please verify your token contract on xdcscan.io
2) Tell us more about the problem with draining liquidity. Because right now it seems like the problem may happen again and its problem with DEXes, but as I understand you've been hacked and DEXes were used only to swap your tokens.
3) A few dev teams already decompiling your contracts and it would be great to see cooperation from your team, it would save a lot of time wasted to your project.
4) And the last but not least - show us please your audits and who has audited you, just to know the team to avoid in the future.

I hope we can count on your cooperation, otherwise it looks like you are hiding something

Collapse
logeswaran profile image
Lokesh • Edited on

Thanks for highlighting this issue and we have verified with the XSwap Team, the PLI pool is safe.

From PLI - We would like to highlight our community that we are giving utmost priority to the security of smart contracrs and have taken many actions on Audit.

@cifi Team would like to understand few more inputs on this issues, and help us understand the bug you identified with swap logic.

Collapse
ronald_mitchell_0de6c6219 profile image
Ronald Mitchell

Thank you for the update and notifying the community at large.

Collapse
xcantera profile image
Arturo Cantera Carrasco

My full dev team is checking.
Malicious contracts work more based on obtaining permissions from Wallets but cannot affect other contracts.

We will update here.

Collapse
xcantera profile image
Arturo Cantera Carrasco

Dear Circularity Finance Team,

After our research, the network is totally safe. It's an exploit in your protocol. Now you should verify the smart contracts, explain to your community, and be more transparent.

Could you please verify your token contract on xdcscan.io?
Cooperation with other dev teams decompiling your contracts would be beneficial.
Please share your audits and auditing team details.
We hope for your cooperation to avoid future issues.