Over the weekend, cryptocurrency exchange Trade.io announced that they were victims of a hack. 50M of Trade.io’s native ERC-20 token, Trade (TIO), were stolen, valued at $7.5M. On October 20, 2018, the Trade.io security team shared a press release that explains what happened:
The Trade.io security team was alerted to a large transaction originating from our wallet holding 50M Trade Tokens (TIO) owned by Trade.io reserved for the liquidity pool. Immediately following the alert, our trade monitoring observed abnormal trading of TIO on external exchanges. These exchanges were immediately alerted to disable deposits/withdrawals and trading of TIO, and our security team began its investigation.
The press release also details how that KuCoin and Bancor teams “responded promptly” and stopped trading on their platform. This likely means that the hacker was sending the stolen funds to these exchanges in order to swap the loot for another cryptocurrency. Thankfully for customers, the funds were taken from Trade.io’s wallet, and not wallets belonging to users. These tokens were held by Trade.io to provide liquidity to their exchange, and also fund the development of the company.
It’s currently unclear how Trade.io was hacked.
In the quote above, they explain that the funds were stored in a cold storage unit. These cold wallets, when operated correctly, are nearly impossible to crack. It’s possible that the hacker got into their cold wallets, but unlikely. Trade.io CEO Jim Preissler explains that the cold wallets were stored in safety deposit boxes in banks, and that "we have confirmed that the safety deposit boxes were not compromised.”
If there were no problems with their storage, then it’s possible that the hacker found an exploit in the token’s smart contract. In a similar way to what happened in the Ethereum DAO Hack, the hacker might have identified a loophole in the token contract that allowed them to withdraw tokens without owning them.
As with The DAO hack, the Trade.io team is planning to fork their token. The new token will be named TIOx. No details are announced today, but it seems that the forked token will return the hacked coins back to Trade.io.