On May 14th, approximately 1.2M EOS and 462k USDT were stolen via a re-entry attack exploit from the smart contract of flash.sx, the flash loan service of SX Vault. The BPs were able to reach consensus to uphold the intent of code, thus all stolen funds are safe and will be returned to depositors.
"We are investigating an attack on the vault. The majority of the EOS and USDT in the vault have been stolen." - Source
Yesterday at 12:19 UTC, Yves La Rose from EOS Nation announced the attack on the SX Vault smart contract. The hacker was able to steal 1,180,142,5653 EOS and 461,796,8968 USDT from the smart contract and move them to a newly created account: potghpfcmocs.
"Vaults.sx is a yield aggregator where users can deposit EOS or USDT in return for interest-bearing SXEOS/SXUSDT tokens. The deposited tokens are then available in the flash.sx contract for flashloans and aggregate fees. Finally, SX tokens can be redeemed for a pro-rata share of the underlying funds + aggregated fees again." - Source
For most of the day yesterday the funds had not been moved, the SX Vault team immediately took action to warn Block Producers and major Exchanges to refuse any deposits of those funds.
Until after 15:00 UTC there was still hope that the attack could have been carried out by a white hacker, willing to return the funds voluntarily to the depositors. Indeed, EOS Nation also offered a bounty of 100,000 USDT for the funds to be returned.
"EOS Nation is offering a 100,000 USDT bounty to the white hat hacker who identified the re-entry attack exploit on the flash.sx smart contract.
The reward will be transferred to the account of your choice once the 1,180,142.5653 EOS and 461,796.8968 USDT are returned to the flash.sx account."
The hacker remained silent (at least publicly), and around 10:00 UTC started distributing the stolen funds to several new EOS Accounts, replicating the strategy used by an old hacker from DICE, a Gambling dApp.
This would have made much more complicated the tracking and freezing of the accounts by the Block Producers, who until then had not yet updated the community.
In the meantime, Dan Larimer also learned of the incident, and was in favor of enforcement by the Block Producers to respect the intent of the contract "in the same way ETH enforced the intent of DAO".
After a few hours, around 2:00 UTC, the Block Producers reached consensus, and through a Multi-Signature transaction they were able to change the owner and active permissions of all accounts created by the hacker in favor of the eosio.prods account.
In this way they were able to regain control of all funds, which will soon be returned to depositors, without the need for a Hard Fork and creating a precedent to protect the intent of the smart contract also in favor of users. This precedent will discourage other hackers from attacking smart contracts in the future, promoting white hacking initiatives and making the DeFI ecosystem more secure.
History was made!