A hot wallet vulnerability was discovered at Bitrue, a Singapore-based cryptocurrency exchange. It enabled attackers to extract approximately $23 million in cryptocurrency assets. On April 14, they disclosed this via a tweet. According to CoinGecko statistics, they exchange an average of more than $1 billion every day, with bitcoin and ether among the most-traded token pairings.
The tweet read, “We have identified a brief exploit in one of our hot wallets on 07:18 (UTC), 14 April 2023. We were able to address this matter quickly and prevented the further exploit of funds.”
Bitrue announced the news, stating that the company was forced to temporarily stop all withdrawals owing to a “brief exploit” of its hot wallet. Following further security measures, the company aims to resume withdrawals on April 18, 2023. The attacker was able to extract around $23 million in Ethereum (ETH), Quatn (QNT), GALA, Shiba Inu (SHIB), Holo (HOT), and Polygon (MATIC).
Bitrue emphasized that it was able to resolve the issue immediately, allowing the platform to avoid additional draining of cash. “We take this matter seriously and are currently investigating the situation.” According to Bitrue, the affected wallet had less than 5% of total reserves, while the remaining wallet was unaffected. The exploit is said to be carried out in their hot wallets.
Hot wallets are a form of cryptocurrency wallet that is used to store coins that are immediately accessible and linked to the internet. However, they are more vulnerable to hacks and theft than cold wallets, which are not linked to the internet.
The attacker exchanged 173,000 QNT, 22.55 billion SHIB, 46.4 million GALA, and 310,000 MATIC for 8,540 ETH according to blockchain security firm PeckShield. They also found the Ethereum address where the stolen funds were deposited. The address presently has $3.2 million in assets, primarily in SHIB and HOT.
Bitrue officials committed to reimburse any identifiable users who were harmed by the event in full. In 2019, the exchange was subjected to another assault in which around $5 million in Ripple (XRP) and Cardano (ADA) tokens were drained from Bitrue. This exploit happened due to a flaw in its internal review processes, enabling attackers access to user accounts.
Exploits in the crypto industry are becoming very common. On April 13, Aave and Yearn Finance suffered an exploit of over $11 million. Demands for stricter rules for the industry are being made. Other major firms to have experienced exploits in 2023 are Euler Finance, SushiSwap and Platypus among others. Since the beginning of the year, more than $20 million has been stolen from the DeFi market, according to DefiLlama.
