IoTex Foundation pledges full reimbursement after $4.4 million bridge hack

The IoTeX Foundation has committed to providing full compensation to all users affected by last week’s $4.4 million bridge hack, as they pledged to use treasury funds to restore victims, whether or not IoTeX is able to recover the stolen assets from the attacker.

The announcement came from their third incident update, following IoTeX’s mainnet resuming full operations on February 24, after two days of security upgrades that permanently blacklisted 29 hacker addresses and froze around 45 million IOTX tokens.

The hack led to an immediate price dump of around 22%, dropping from $0.0054 to around $0.0042. The token has staged multiple attempts to reclaim pre-hack valuations, trading around $0.0048 currently.

Treasury-funded compensation regardless of recovery outcome

In its latest report, the IoTeX project stated that “The IoTeX Foundation will ensure every affected user receives 100% compensation.” 

They also developed a compensation framework dividing users into two tiers. 

• Tier 1 covers losses up to $10,000, which represents the vast majority of victims. They will receive full compensation immediately in stablecoins or native Ethereum assets.
• Tier 2 users with losses over $10,000 would receive their first $10,000 immediately, and their balances would be distributed over 12 months. They would also get a 10% bonus in annually staked IOTX, allowing them to receive 110% of their original losses.

The compensation process will begin on Friday, February 27, when IoTeX publishes its official Recovery Deposit Address and Claims Portal. 

Affected users must withdraw any bridged assets from DeFi protocols, transfer them to the Recovery Deposit Address in single transactions by asset type, and then submit claims with wallet addresses and transaction hashes.

The Foundation will then verify each claim against on-chain data before issuing compensation on Ethereum. However, users are warned not to split their balances or restructure holdings to circumvent tier thresholds, as such actions will result in flagged claims and loss of eligibility.

Mainnet upgrade permanently blocks attacker access

IoTeX mainnet has been fully operational since February 24, with Coinbase and MEXC among the first to restore full functionality. Afterwards, Binance and Upbit enabled withdrawals, while Bitget, Gate.io, OKX, Bithumb, KuCoin, HashKey Global, and BitMart are gradually coming back online. 

IoTeX coordinated with over 20 exchange partners and submitted formal documentation to DAXA (Korean Digital Asset Exchange Association).

The security patch froze around 45 million IOTX tokens held in attacker-controlled wallets. According to the project, “These funds are now permanently inaccessible to the attacker. No transaction involving these addresses will ever be processed again.”

IoTeX’s team also developed ioTrace to map the movement of stolen funds across blockchains in real time, allowing it to trace critical evidence across multiple chains, exchanges, and years of transaction history.

IoTeX also plans to make ioTrace open source so that other projects can launch independent investigations without depending on other vendors.

The Foundation also tracked more stolen assets across several chains. Apparently, the attacker swapped some tokens for 2,183 ETH, then converted the funds to Bitcoin (66.78 BTC) through THORChain. 

IoTeX identified four Bitcoin addresses currently holding the stolen assets and is coordinating with relevant exchanges to monitor for any potential deposit attempts.

Mainnet restored with frozen attacker funds in 24 hours 

When the ioTube bridge hack was detected on February 21, IoTeX went into action immediately. Apparently, the attacker compromised a validator owner’s private key on Ethereum, upgraded the contract to bypass all security checks before draining $4.4 million in reserves, and then minted 410 million CIOTX tokens.

Initial reports calculated figures as high as $8.8 million, but IoTeX stated that 99% of the minted tokens were locked or frozen, while only 0.4% were liquidated through DEXs. 

The CEO of IoTeX, Raullen Chai, also offered the hacker a 10% reward if they returned the other 90% of the stolen funds within two days. No one responded until the deadline passed yesterday.

However, by the next day, IoTeX’s mainnet was back online, and the development team deployed Mainnet v2.3.4 on February 24, after coordinating with 36 other network delegates to implement robust security measures.

The upgrade permanently blacklisted all 29 identified attacker wallet addresses at the blockchain protocol level, ensuring those addresses can never process another transaction again.

Long-term security plans put in place

Aside from the immediate mainnet upgrade, IoTeX is also implementing IIP-55, a governance protocol that will move bridge operations to a decentralized validator committee, thus eliminating the point of failure that enabled the attack.

The project also put various other measures in place, adding multi-signature and time-lock controls on privileged operations, an independent audit of the ioTube infrastructure, on-chain circuit breakers, credential management programs, and a bigger bug bounty program.

The smartest crypto minds already read our newsletter. Want in? Join them.