Cross-chain service Mixin Network this weekend offered the attacker who exploited the platform a reported $200 million “bug bounty reward” for the return of its users’ funds.
“Most of our platform assets belonged to users and we hope you can pay them back. You can keep $20 million of the assets as a BUG Bounty reward for the BUG. Contact us at [email protected] for the reward details,” Mixin wrote in one message in the chain as highlighted by blockchain security company PeckShield.
However, in an update posted today on X (formerly Twitter), Mixin said the The losses were not as great as estimated. “We have completed most of the inventory work and the situation is much more optimistic than expected. The losses are not as great as estimated. Once again we remind everyone not to transact, market make, etc. on Mixin Network for the time being to avoid unnecessary losses.
“Specific refund rules still need some time,” it added.
Mixin’s $200 million hack
Late on Sunday, Mixin Network said it had temporarily suspended deposit and withdrawal services, following the reported $200 million exploit, until it could implement a fix.
Another security company, SlowMist, reported the attack targeted Mixin Network’s database of cloud service providers on Saturday.
Mixin confirmed that its cloud service provider had been attacked by hackers, “resulting in the loss of a number of assets on its mainnet,” adding that it had contacted Google and SlowMist to assist with an investigation.
“After discussion and consensus among all nodes, these services will be reopened once the vulnerabilities are confirmed and addressed. During this period, transfers will not be affected,” Mixin said at the time.
The attack on Mixin was the latest exploit of crypto projects via third-party providers in a week after OpenSea and Nansen were also hit by security breaches at one of their vendors. It remains unclear whether the incidents are related, with Nansen urging the third-party vendor to make the breach public.
If the funds are not returned, the Mixin Network exploit could be one of the largest DeFi exploits to date, according to The Block’s data dashboard.
Only half of users’ assets are safe
During a subsequent livestream, Mixin founder Feng Xiaodong said that for now the team “can only guarantee that at least half of the assets are safe.” “It doesn’t matter what your assets are – whether it’s bitcoin or ether – we will make sure that half of them remain untouched. We are trying to find a way to get the compromised money back, but that is very difficult.”
For the rest of the assets, Feng says Mixin is considering issuing “bond tokens” for users to claim, with plans for a future buyback.
Mixin’s token,
XIN/USD price chart. Image: Coin gecko.