Aark Digital Bounty Program: Help Us Recover Stolen Assets

Aark’s fund was exploited on Oct 25th 2024. The exploiter took 1,386,085.5 USDC and 24.143 ETH.

Aark is launching a Bounty Program to recover the stolen assets. We believe in the power of community collaboration and invite everyone to participate in helping us retrieve the funds.

Attack Incident Summary

User A had previously interacted with our team through Discord. On September 6th, 2024, User A contacted us again, claiming someone from our team had asked for their mnemonic phrase, which they had provided. User A alleged that the team had then stolen their funds. However, no one from our team ever requested a mnemonic; instead, it was Malicious Actor B, posing as a moderator in the Discord channel, who made the request. Malicious Actor B was promptly banned, but User A’s funds were already drained.

On October 25th 2024, the Aark LP pool was drained of 1,386,085.5 USDC and 24.143 ETH to User A’s wallet, then moving out to multiple others. We initially assumed that this was Malicious Actor B using both wallets, but this is where it gets tricky: transactions from Sept 6th to Oct 25th reveal that this wallet has been continuously claiming $AARK staking rewards, worth a few dollars, without withdrawing the entire staked amount even though most of the staked $AARK has been available for withdrawal. Why has neither User A nor Malicious Actor B not withdrawn the staked $AARK? User A’s wallet has also been active on OpenSea this entire period.

Incident Timeline

1. Upgrade to LP Manager Contract

• Block Number: 266421775
• Timestamp: Oct-22–2024 08:50:33 AM UTC
• Process:

1. During a routine GM token burn, we encountered a callback error due to a third-party contract modification.
2. To resolve this, we initiated a contract upgrade and GM delisting to adjust affected user balances.
3. Users holding GM were required to convert GM to USDC.
4. We ran a script to process these conversions, receiving inputs like target user, amount, token address, and decimals from event data.
5. While executing, a single user’s USD Value shifted erroneously from 0.498942 to 498,942 * (10 ^ 12), due to an incorrect balance update (not from a deployed contract error).
6. Transaction Link: Click Here

Response:

• Corrected the LP collateral balance for the affected user.
• Revalidated all records, confirming that this user was uniquely impacted.
• Restricted contract entry points to prevent further access.

2. Withdrawal from AARK Vault

• Arbiscan Link: Transaction History
• CSV File for Exported Transactions: Download CSV
• Total Withdrawals: 1,386,085.5 USDC & 24.143 ETH

Bounty Program Details

We’re offering a bounty for anyone who can help us locate and recover the missing funds and assist us.

Bounty 1: Track, Freeze, Retrieve the Assets or Report Entry to CEX

We offer rewards of up to 10,000 in USDC for actionable intelligence that directly leads to reporting the entry to CEX or freezing/retrieving the stolen assets.

Bounty 2: White Hat Recovery

For those who contribute to the successful recovery of the stolen assets, we will provide a 207,912.83 USDC and 3.62 ETH reward, or 15% of the stolen amount as a white hat incentive.

Some known associated wallet addresses are:

Pool Address: 0x7A5df878e195D09F1C0bbba702Cfdf0ac9d0a835

User A Wallet: 0x589197b4AFC9E50A2cc872540a3760C624BBF97c

Bounty Program Timeline and Deadlines

The bounty program will be active for 3 months from the date of this announcement. Depending on recovery progress, the program duration may be extended or shortened with or without notice.

Bounty Program Terms and Conditions

Eligibility

• The program is open to everyone.

Submission Requirements

• Participants must submit detailed information, including addresses, transactions, and tracking methodologies.
• All submissions should be sent to contact@aark.digital

Confidentiality

• Participants are required to keep their submissions confidential. Disclosure to third parties without Aark Digital’s consent is prohibited.

Verification Process

• Aark Digital’s security team will verify all submissions. Incomplete or partial information will not be eligible for rewards.

Specific Terms for Bounty 1

• Participants must provide clear evidence linking tracked addresses to the stolen funds.
• Submissions must include detailed transaction trails, blockchain analysis, and address associations.
• Rewards are contingent upon successful collaboration and the provision of actionable intelligence.

Specific Terms for Bounty 2

• Recovery efforts must follow legal guidelines.
• Participants must provide a step-by-step outline of the recovery process.
• Clear proof of recovery is required to claim the reward.

Disclaimers

• Aark Digital reserves the right to amend the program terms at any time.
• Participation does not establish an employment relationship with Aark Digital.
• Aark Digital will facilitate cooperation with law enforcement if required.

How to Participate

1. Register: Email contact@aark.digital with your participation intent.
2. Submit: Provide the required information via the registered email.
3. Review: Submissions will be reviewed within 72 hours, though this may extend due to submission volume.
4. For more details, please refer to Arkham Bounty Program.

Liability Waiver

By participating, participants waive any claims against Aark Digital and its affiliates regarding the bounty program. Aark Digital retains discretion over reward eligibility and disbursement.

• Home: https://aark.digital
• Twitter: https://twitter.com/aark_digital
• Discord: https://discord.gg/aarkdigital
• Docs: https://aark-digital.gitbook.io