Mixin Network, a protocol designed to address blockchain scalability issues, has fallen victim to a significant hack, resulting in losses of nearly $200 million. This breach, which occurred in the early hours of September 23, 2023, has raised questions about the security of the network and the implications of its centralized design.
This incident is particularly noteworthy because Mixin Network operates as a service similar to a layer-2 protocol, aiming to facilitate cheaper and more efficient cross-chain transfers. However, the hack has underscored a major drawback – its reliance on a centralized database, which introduces a single point of failure.
What is Mixin?
Founded in 2017, Mixin Network had nearly $400 million across 48 chains locked within its protocol before the hack. This decentralized exchange and cross-chain network enables users to transfer digital assets with ease, using phone numbers as identifiers. Xiaolai Li, a Chinese billionaire and early Bitcoin enthusiast, is among the network's early angel investors.
In July, the top 100 assets on the Mixin Network had a combined value of slightly over $1.1 billion, with 663,489 unique monthly transactions involving Bitcoin and 179,647 Ether transactions.
The Breach
Mixin Network's cloud service provider was the target of this daring attack, as confirmed by blockchain security consultancy SlowMist. In the aftermath, Mixin Network issued a statement acknowledging the breach, confirming the loss of assets, which are estimated at approximately $200 million. According to data released by Rekt, Mixin's hack could be the largest one of the year so far, surpassing the $197 million heist targeting Euler, a cryptocurrency lending platform, earlier in March.
The statement on X, formerly Twitter, also mentioned that Mixin Network would be suspending its deposit and withdrawal services to assess the extent of the damage and shore up its security infrastructure.
Following the breach, Mixin Network enlisted the help of cybersecurity experts, including SlowMist and Google, to investigate the hack and explore potential solutions. However, blockchain trackers like PeckShield and Lookonchain have already identified roughly $141 million of the stolen assets. This analysis includes $93.5 million in ETH, $23.5 million in DAI (swapped from USDT), and $23.3 million in BTC.
The significant value of this heist has drawn comparisons to other major crypto thefts this year. While suspicions have been raised about the involvement of the notorious Lazarus group, known for crypto heists, no conclusive evidence links them to this hack.
Founder's Compensation Plan Sparks Controversy
Mixin Network's founder, Xiaodong Feng, responded swiftly to the breach by outlining a compensation plan for affected users. However, the compensation plan, while commendable, raised eyebrows as it initially offered to reimburse users for only up to 50% of their assets.
However, questions surrounding the security of the network emerged. Zhuoer Jiang, CEO of Bitcoin mining pool BTC.TOP, asserted that the stolen Bitcoin should have been secure in cold storage, unaffected by the cloud server hack that compromised Mixin's hot wallets. Mixin had previously disclosed holding approximately 9,544 BTC, valued at roughly $253 million, in its protocol during a July report.
In a live briefing, Mixin founder Xiaodong Feng identified Bitcoin as the "core asset" stolen and promised to compensate users for up to 50% of their stolen assets. The remaining compensation would be distributed as "tokenized liability claims," eventually repurchased by Mixin with future profits.
Unfortunately, this hack is far from a lone incident in the crypto industry, with almost $1 billion having been lost to hacks and scams in 2023 alone according to a previous report from Certik in August. However, with the hacks since then, that figure has likely gone over $1 billion, and the year isn't even over yet. This incident is a stark reminder of the security challenges faced by the crypto industry, be it in the Decentralized or Centralized spaces.