Mixin Network Proposes $20 Million Bug Bounty to Hacker in $200 Million Security Breach

Mixin Network, the Beleaguered cross-chain transactional network for digital assets, which suffered an attack on Sept. 23 wiping $200 million, has offered a bug bounty to the exploiter on Wednesday.

“Most of our platform assets were users’, and we hope you can refund them. You can keep $20M of the assets as a BUG Bunty Reward for the BUG,” the company said in a note to the exploiter on Etherscan.

From @MixinKernel to the Mixin Network Exploiter: "… You can keep $20M of the assets as a BUG Bounty Reward for the BUG…" https://t.co/Zb9H43uYXA pic.twitter.com/DDHCpKzGbB

— PeckShield Inc. (@peckshield) September 27, 2023

The Hong Kong-based crypto firm urges the hackers to contact them via [email protected] for further information on the bounty reward.

Following the hack, Mixin temporarily halted deposit and withdrawal services to its customers, until the vulnerabilities were fixed after “discussion and consensus among all nodes.” It also wrote on X (Twitter) that the blockchain security company SlowMist has stepped in to assist with an investigation.

[Announcement] In the early morning of September 23, 2023 Hong Kong time, the database of Mixin Network's cloud service provider was attacked by hackers, resulting in the loss of some assets on the mainnet. We have contacted Google and blockchain security company @SlowMist_Team…

— Mixin Kernel (@MixinKernel) September 25, 2023

The Mixin team said on Sept. 25 that it would announce the solution for how to deal with the lost assets in a later date. Mixin founder Feng Xiaodong will discuss the exploit at a live stream in Mandarin on Monday, it added.

During the live stream, Xiaodong said that the Mixin team can “only ensure at least half of the assets are secure,” as of now.

Mixin: Situation is “More Optimistic”

Aside from announcing a bug bounty to the exploiters, Mixin said in a separate post that “the situation is much more optimistic than expected,” after the completion of asset tally work.

[Update]
The first time the incident occurred, we contacted Google (Mandiant) and blockchain security company @SlowMist_Team to assist with the investigation.

After several days, we have completed most of the asset tally work, and the situation is much more optimistic than… https://t.co/ySOHCkGK7t

— Mixin Kernel (@MixinKernel) September 27, 2023

The platform reassured that the assets lost “are not as significant as estimated” and reminded users that the asset transactions and market making services still remained suspended “to prevent unnecessary losses.”

“Regarding the asset losses, we can only take responsibility through action besides apologizing. At the same time, being responsible has always been Mixin’s attitude. Specific reimbursement rules still need some time.”

However, according to a local report, Xiaodong said that the platform would refund users up to 50% of the losses incurred and the remaining funds will be paid in the form of bond tokens.