Cross-chain service Mixin Network has offered the attacker who exploited the platform for a reported $200 million over the weekend a $20 million “bug bounty reward" for the return of its users’ funds.
“Most of our platform assets were users’, and we hope you can refund them. You can keep $20 million of the assets as a BUG Bounty Reward for the BUG. Contact us via [email protected] for the reward details,” Mixin wrote in an on-chain message as flagged by blockchain security firm PeckShield.
However, in an update posted on X (formerly Twitter) today, Mixin said the losses were not as significant as estimated. “We have completed most of the asset tally work, and the situation is much more optimistic than expected. The losses are not as significant as estimated. Again, we remind everyone to avoid making transactions, market making, etc., on Mixin Network, for now, to prevent unnecessary losses.”
“Specific reimbursement rules still need some time,” it added.
Mixin’s $200 million hack
Late Sunday, Mixin Network said it had temporarily suspended deposit and withdrawal services, following the reported $200 million exploit, until it can implement a fix.
Another security firm, SlowMist, said the attack targeted Mixin Network's cloud service provider database on Saturday.
Mixin confirmed its cloud service provider was attacked by hackers, “resulting in the loss of some assets on its mainnet,” and added that it had contacted Google and SlowMist to assist with an investigation.
"After discussion and consensus among all nodes, these services will be reopened once the vulnerabilities are confirmed and fixed. During this period, transfers are not affected," Mixin said at the time.
The attack on Mixin was the latest crypto project exploit via third-party providers in a week after OpenSea and Nansen were also impacted by security breaches at one of their vendors. It remains unclear if the incidents are related, with Nansen urging the third-party vendor to disclose the breach publicly.
If the funds are not returned, the Mixin Network exploit could sit among the largest DeFi exploits to date, according to The Block’s data dashboard.
Just half of users’ assets are safe
During a subsequent livestream, Mixin founder Feng Xiaodong said the team "can only ensure at least half of the assets are secure," for now. "No matter what your assets are — whether it's bitcoin or ether — we will ensure that half of it is unaffected. We’re trying to find a way to recover the compromised money, but that is very difficult."
For the rest of the assets, Feng said Mixin is considering issuing "bond tokens" for users to claim, with plans for a future buyback.
Mixin's token, XIN, is down around 25% following the hack, currently trading at $163.37, according to CoinGecko data.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.