On June 27, 2023, the Chibi Finance team carried out an exit scam, resulting in investors losing over $1 million. The project exploited centralized risk to transfer user funds out of the contract owned by Chibi and converted them to ETH, which were then transferred to the Ethereum network via a cross-chain bridge and ultimately deposited into Tornado Cash.
This incident is the 12th major event discovered by CertiK on the Arbitrum network in 2023. These events resulted in a total loss of $14 million, including hacks, scams, and vulnerabilities.
Event Summary
Although the Chibi Finance exit scam occurred on June 27, it was likely planned meticulously several days or even earlier. On June 15, an external address (0xa3F1) withdrew 10 ETH from Tornado Cash. 2 ETH was transferred to the Ethereum network via a cross-chain bridge. 4 days later, on June 19, an additional 7.8 ETH was transferred. Most of the ETH was sent to address (0x1f19). However, on June 23, 0.2 ETH was sent to address (0x80c1) to cover the gas fees for adding Chibi pools and creating the contract (0xb612), which would later be emptied.
Chibi continues to hype its project and on June 26 announced in its Telegram group that it has been listed on CoinGecko.
Image: Chibi Finance Discord Announcement | Source: Twitter
However, on June 27th, the setGov() function was called in each Chibi pool, and the gov address was set to contract 0xb612. In Chibi's contract, the gov address serves as the owner's address. Chibi's functions are protected by the onlyGov role, which allows wallets to execute these functions.
Image: setGov() Transaction | Source: Arbiscan
After controlling the pools, the address (0x80c1) removed a total of 539 ETH in liquidity. Additionally, 17.9 ETH was obtained from address (0x1f19), resulting in a total of 556 ETH.
Image: Conversion of stolen funds to WETH | Source: Arbiscan
These funds were subsequently cross-linked to Ethereum through two transactions, with 400 ETH via the Multichain cross-chain bridge and 156 ETH via the Stargate cross-chain bridge. A total of 555 ETH was deposited into Tornado Cash, and then two transactions of 0.5 ETH were sent to two different EOAs. One of the transactions went to a new wallet (0x9297), which still holds ETH as of the time of writing. The other 0.5 ETH was sent to junion.eth, who had previously sent on-chain messages to the Euler vulnerability exploiter as a gesture of gratitude for their service.
Image: On-chain message | Source: Etherscan
Attack Process
The exit scam was caused by the centralized privileges of the _gov() role in the Chibi Finance contract. The attack began on June 23rd when EOA (0x80c1) received 0.2 ETH from EOA (0xa3F1) and created a malicious contract.
Image: Malicious contract creation | Source: Arbiscan
The next phase involved calling the addPool() function on multiple contracts owned by Chibi Finance.
Image: Calling addPool() | Source: Arbiscan
On June 27, the deployer of the Chibi Finance contract called setGov() on multiple Chibi contracts, assigning a malicious contract created by EOA (0x80c1) to the _gov role. This role has privileges in the Chibi Finance contract, allowing the attacker to call the panic() function and remove users' funds from the contract.
Image: setGov() transaction and example transaction | Source: Arbiscan
EOA 0x80c1 calls execute() in the malicious contract to start extracting funds. The malicious contract iterates through each Chibi Finance contract added through addPool() transactions on June 23 and calls the panic() function. This function pauses the contract and extracts the funds from it.
The stolen funds are then transferred to EOA 0x80c1.
Image: Stolen funds | Source: Arbiscan
These funds were then converted to WETH, transferred to the Ethereum network through a cross-chain bridge, and deposited into Tornado Cash.
Final Thoughts
So far, CertiK has recorded 12 incidents on Arbitrum in 2023, including the ChibiFinance exit scam, with a total loss of $14 million. The Chibi Finance incident showcases the risks associated with centralization in the Web 3 space. The project deployers abused their privileged positions, stole user funds, and then deleted all social media accounts, including the project's website. It is unrealistic to expect ordinary investors to discover and understand centralization risks in projects like Chibi Finance solely through their own research. This is where experienced auditors provide value. CertiK can clearly articulate the centralization risks associated with a project during the auditing process to help investors understand the risks involved.
