26M TRX is gone due to a “backdoor” in bytecode

On May 3, 26.7 million TRX was taken away by an attacker “wojak” (discord name, address: THeRTTCvN4SHEVYNqcLVLNGGVsWLR4smyH). These TRX tokens worth around 700K USD at that moment. This is the second big security event from TronBank team since the huge BTTBank BTT token stolen event. The reason for the stolen this time is because of a backdoor someone set up in the withdraw function of the smart contract.

According to what Tronbank team’s statement, they were trying to compiled the smart contract and verified it on TSC (TronSmartContract.space) for many times but ended up with failures. So they used TSC to compile and deploy and somehow the backdoor was injected by Khanh (Author of https://tronsmartcontract.space/#/author, Tron address:TTX5N2wxLeyWBSNE6UeaBjCFZbpa2FH6jr).

The above statement was from the post here.

Apparently, after the smart contract was deployed the compiled bytecode was not human friendly and hard to inspect without any reverse engining tools. The backdoor was added into the smart contract function withdraw(). By using our online decompiling tool, we can easily found the the backdoor code:

From above photo snapshot, we can clearly see when the msg.value is 0x2E87 (11911) the smart contract will send all balance of the contract to the sender. Therefore the attacker wojak transferred all TRX to his own address by calling withdraw function with value of 0.011911 TRX:

One interesting part of the story is after the attack occurred, this wojak claimed in the discord channel that he didn’t realize the transfer of the tokens until later review and he was originally testing his program on all smart contract on Tronbank network.

He also stated he will refund all tokens to the original investors but ended up with disappearance.

One lesson we can learn from this attack is that the security issue inside block chain ecosystem is never an adversary or a patch anymore. It means real finance loss for investors or users. Also, since the smart contract’s final format is for Virtual Machine and not human, we should really aware of the real logic in the bytecode and not the source code. Especially, the binary was not compiled by your own compilers. Even the bytecode is not meant to be read by human, but with help of de-compiler tool like Smart Contract Guardian, the logic of the bytecode can still by retrieved clearly. We also offer bytecode level smart contract audit service to make sure all your contract is safe and operate in the logic that is supposed to be.

Trustlook Launches Smart Contract Auditing Platform Smart Contract Guardian

SAN JOSE, Calif., Jan. 11, 2019 (GLOBE NEWSWIRE) — Trustlook, the global leader of AI-powered cybersecurity, launched Smart Contract Guardian (SCG), a smart contract bytecode decompiling platform and announced a free smart contract auditing service based on this platform.


The open source spirit of Ethereum is intended to allow developers to share their work with the community so innovative platforms and applications can be built. However, according to a survey conducted by Trustlook at the end of 2018, there have been roughly 2 million smart contracts built and deployed on the Ethereum network, but over 80% were published as unreadable low-level byte-code. This makes it nearly impossible for the average developer to analyze the contents of these smart contracts, which lead to the widespread use of insecure and unreliable contracts. This is likely a key enabler for a number of serious incidents on the Ethereum network.

Trustlook’s SCI decompiles unreadable smart contract byte-code into Solidity, a familiar and readable high-level language. There currently exists no product on the market which matches SCI in maturity or capability. Additionally, the decompiler has been released for free online use, which will allow developers a convenient tool for analyzing previously opaque smart contracts. Trustlook is hopeful that in the process of using SCI, community developers will also improve the quality and security of the Ethereum Network.

The security of smart contracts is critical since they may not be altered once deployed. Accordingly, the ability to audit smart contracts is necessary to ensure their security, as their bugs can directly cause thousands or millions of dollars in damages to digital currency exchanges and users.

Therefore, Trustlook has decided to provide the smart contract auditing service for free to the community while launching the SCI platform.

The founding team at Trustlook are cybersecurity veterans with over ten years of industry experience, with deep understanding of traditional cybersecurity fields as well as cutting edge blockchain security issues. Trustlook seeks to provide security and reliability to all smart contract based services in order to build a safer and more mature Ethereum network.

About Trustlook
Trustlook (www.trustlook.com) is a global leader in next-generation cyber security products based on artificial intelligence. Their innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. Trustlook’s solutions protect users from both known and zero-day threats by analyzing millions of code-level and behavior combinations to find malicious patterns. Founded in 2013, the company is headquartered in San Jose and managed by leading security experts from Palo Alto Networks, FireEye, Google and Yahoo.