Pendulum’s Governance Prevails Over PEN Social Engineering Attack

In mid-April, a number of PEN tokens experienced a breach perpetrated by an attacker, resulting in temporary deposit pauses on the crypto exchange MEXC. Acting swiftly and in close collaboration with MEXC, the Pendulum team effectively averted any significant consequences. The Pendulum team are pleased to report that the stolen PEN tokens have been successfully brought under the control of their rightful owner, and deposits have resumed on MEXC. In this article, we aim to provide transparent insights into the incident, offering a comprehensive breakdown of the events that transpired.

What Happened

A strategic community supporter inadvertently disclosed a wallet seed phrase to a third party, resulting in the breach of their PEN accounts. The attacker, posing as an admin on Telegram, exploited the victim’s trust, ultimately leading to the compromise of their wallet.

The attacker took control of the wallet and began sending unlocked PEN tokens to MEXC for selling purposes. Once the victim realized their wallet had been compromised, they promptly reached out to the Pendulum team for advice and help on mitigation. The team acted swiftly by contacting MEXC who halted deposits, preventing the attacker from further selling PEN tokens and ensuring the protection of the community.

In response to the incident, the Pendulum team advised the victim to stake their entire balance, effectively locking the tokens for a period of at least seven days. The victim was also encouraged to inform local authorities about the breach. This proactive measure was in accordance with Pendulum’s staking pallet, which requires a seven-day unbonding period. It allowed for the necessary time to inform local authorities, work collaboratively towards a solution, and minimize the impact of the incident.

Social Engineering Attack Attempt

The victim was seeking help on the official Telegram channel of a wallet provider. They were then contacted per private message by the attacker, disguising themselves as admin of that channel.

The victim was under the impression they were communicating with an official representative of the wallet project and requested help in staking their PEN. The attacker then directed the victim to a website extracting their private keys — which rendered the wallet’s control in the hands of the attacker. PEN tokens were then unstaked from these addresses:

6gDQi9wtrATW28fXMkJodRKLCBW8YipJbKdUhiu8xSnBapJr

6gcrqpLP5nyyWHPbV8jmeEfhhGxADZgRwWkB6pMPAedryYqP

And after the 7-day unbonding period ended, some of the PEN on these addresses was sent to MEXC to be sold, causing a spike in sell volume. The victim, with the help of the Pendulum team, staked their tokens immediately after learning of the breach. The attacker unstaked them again, in an attempt to gain sole access to the assets.

Solution: Deploying Pendulum’s Built-in Governance

To address the security breach effectively, the governance council decided that all essential transactions were to be conducted as public referendums, requiring root privilege. As some of these solutions involved blocking specific blockchain activities, such as token transfers, our priority was to minimize the required execution time. To expedite the process, the referendums were fast-tracked with the invaluable support of the Pendulum technical committee.

The key transaction, which served as the core solution, involved transferring all remaining funds from the compromised accounts to newly created accounts under the sole control of the victim. This transaction ensured the seamless transfer of the original vesting schedules from the old accounts to the new ones. Notably, this pivotal transaction was successfully executed in block 524,496, marking a significant milestone in the resolution process.

This main transaction was more complex as it first needed to ensure that there were no remaining locks on the two compromised accounts — otherwise the tokens on these accounts could not be moved to new accounts. There are three possible locks that the transaction had to take care of:

• vesting lock: the transaction calls a root extrinsic function in our vesting-manager pallet in order to remove the existing vesting schedules
• staking locks: the transaction unlocks all remaining locks with our staking pallet
• voting locks: the transaction unlocks all locks that are subject to previous votes with the democracy pallet

These unlocks could fail if there are no such locks in place while the transaction was executed. For that reason the transaction was carefully crafted to deal with this situation. The complete transaction is visible and has been submitted as a preimage in block 524,341.

To facilitate instant unlocks and prevent the attacker from manipulating funds before the main transaction, a series of runtime upgrades were proposed by the council via a referendum and fast-tracked by the technical committee. These upgrades involved adjusting configuration parameters and blocking certain actions. Preceding the main transaction, two upgrades were performed, followed by another upgrade to restore the original configuration settings. The code changes for these runtime upgrades together with their execution time are:

• runtime ugprade 1, executed in block 523,537
• runtime upgrade 2, executed in block 523,989
• runtime upgrade 3, executed in block 525,317

Conclusion

It is important to note that this breach was a result of a carefully orchestrated social engineering attack, taking advantage of human vulnerabilities rather than any inherent security flaw in the Pendulum system itself. Pendulum is working properly and without security flaws since inception, benefiting from Polkadot Relay Chain’s shared security. This incident demonstrates how important it is to be aware of the tactics scammers deploy and to properly manage keys.

Thanks to extraordinary efforts by the entire Pendulum team, the remaining PEN are now in the hands of the owner again. The Pendulum team deeply appreciate the patience and support of the Pendulum community throughout this process. We are committed to producing educational content on security and safeguarding PEN tokens in the future.

About Amplitude

Pioneering the internet of fiat. Amplitude is the sister network of Pendulum on Kusama. It will act as a testing ground for Pendulum applications and network parameters and be powered by the AMPE token.

About Pendulum

Building the missing link between fiat and DeFi through a fiat-optimized smart contract blockchain based on Polkadot’s Substrate. Allowing traditional finance fiat services to integrate with DeFi applications such as specialized forex AMMs, lending protocols, or yield farming opportunities. Developed by SatoshiPay.

Keep your eyes on the Pendulum!

Twitter | Telegram Announcements | Telegram Community | Discord | Reddit