en
Back to the list

TrueUSD’s Security Breach Sparks Concerns Over Private Key Compromise

source-logo  cryptopotato.com 23 October 2023 16:04, UTC

According to ChainArgos, a blockchain intelligence firm, the situation surrounding TEURO has become increasingly complex. TrueUSD, the stablecoin company responsible for currencies like TUSD and TGBP, has publicly stated that they have no association with TEURO. However, it is undeniable that the TEURO contract was deployed using one of TrueUSD’s private keys, ChainArgos says.

TrueUSD confirmed a security breach as of the latest September 18, 2023 update. Considering that TEURO was deployed ten days prior, it raises a compelling hypothesis, according to the blockchain firm.

TrueUSD’s Private Key Vulnerability Exposed

ChainArgos argues that an entity appears to possess some of TrueUSD’s private keys, which suggests that TrueUSD may not have fully disclosed the extent of the security breach.

The $TEURO plot thickens:

Apparently TrueUSD (the stablecoin company behind things like $TUSD, $TGBP, etc) claims to “have zero affiliation” with $TEURO. However the $TEURO contract was inarguably deployed with one of TrueUSD’s private keys.

Given that TrueUSD has admitted… https://t.co/0wNLBeVVCQ pic.twitter.com/KEUgEY6Hff

— ChainArgos (@ChainArgos) October 23, 2023

Adding to the complexity is the curious case of TUSD minting. Notably, Justin Sun managed to mint a staggering $850 million worth of TUSD three days before the acknowledged hack.

ChainArgos said it is reasonable to consider that the reserves of TUSD, namely the bank accounts, might have been compromised by someone with access to the project’s private keys, which warrants scrutiny and investigation.

A user, @clickityclack5, pointed out that stealing money from a bank using private keys is impossible. They believe the stability of the peg will be tested in the upcoming days or weeks, and that will be the only way to assess the situation truly.

However, ChainArgos responded by emphasizing that TUSD has a connection to the bank in ways that most tokens aren’t. It could have significant implications if one successfully executes that crucial final wire transfer using compromised private keys.

Moreover, it’s crucial to remember that the hacker compromised private keys and individuals’ bank information and identification in this situation. Combined, these elements provide a substantial foundation for potential harm, particularly if TrueUSD opts to conceal the incident rather than report it, ChainArgos said.

TrueUSD’s Security Dilemma

Customers undergo stringent KYC/AML checks and possess predefined limits on minting and redemption. However, ChainArgos says if a malevolent entity gains access to TrueUSD’s private keys, the established limits might prove futile, potentially compromising the stability of the coin and the safety of customer funds.

Zachxbt, a blockchain sleuth, has come in support of the report, saying that if it is indeed the case that TEURO was not intentionally created as stated, it would suggest a potential compromise of the deployed private key, especially considering that the same entity responsible for deploying TUSD also deployed the TEURO contract.

1/3 If they legitimately did not create TEURO as stated then I would agree the deployed private key is probably compromised since the TUSD deployer also deployed the TEURO contract.

Following where they minted TEURO tokens is where things get a bit more interesting…

— ZachXBT (@zachxbt) October 23, 2023

The subsequent actions involving TEURO tokens add an intriguing layer to the situation: 0x465 transferred 2 million TEURO to 0x9132, which then facilitated the bridging of 13 ETH to Arbitrum and subsequently back to the Ethereum mainnet, ultimately ending up at 0x472. Notably, 0x472 also utilized the official TrueAUD deployer to establish a TrueChineseYuan contract within this transaction hash.


cryptopotato.com