Dear Polkadot Community, As referenced by the account address provided, we are responsible for the whitelist call proposal regarding Parallel Finance goverance taker over,
as noted in Polkadot Referendum #1322.
We would like to clarify that our action against Parallel Finance given current vote process, we anticipate our failure in that regard. While we are committed to returning the sudo privileges to the proper owners, we must emphasize that we should not return control to the Parallel Finance team. This decision is based on evidence of significant fraudulent activities carried out by the team months prior to our actions.
They are fearful of being discovered and have even decided to remove their Polkadot identity information on Subscan. However, it's not a problem for us, as we have record them.
Evidence suggests that Parallel Finance may have begun executing a rug pull as early as April, though our investigation only covers activities starting from April due to time constraints. While our attack is only effective begun around Parallel Finance block 6990839-2, on around October 31, 2024.
We will list the following addresses at first:
Parallel Finance 1 (PF1): The technical and general council account controlled by Yubo p8BDTWhQXouTCuVSSQTSYYDCxAC523iDZXNS9zT8ujgvnbyBh
Parallel Finance 2 (PF2): Parallel Finance ancient sudo account, current General Council p8FhJ2kCvAtetismfbfgLBeGwBknFuqT77L9nJXdLTvct35HD, assumed to be controlled by Yubo, , to stay 2/3 control of GC.
Current Technical council (TC3): Existing on parallel network only, controlled by Yubo, to stay 2/3 control of TC. p8GZVea2tDJ8s8JY8wWw3heHycetNXmvRnMnncF8VNpfKae77
0xrjman (based on github activity): A key engineer and tech+general council member whose activities appear to be at the heart of many illicit operations p8DShFJGrR5GNZoMvVUMc498Yh1SyuZYntRmnzrwm8t2eTctG
0xrjman is a highly capable individual, and this account serves as an Oracle script account responsible for updating key data, such as the Oracle feedValue extrinsic. The account's activity is designed to enhance privacy by integrating governance and sensitive transactions within a high volume of other transactions, effectively shielding them under a large number of inconspicuous operations.
Parallel Finance 3 (PF3) p8ES3KZSGYNLDyRKpGMKZN7iTQzZfNte1g14S4wh562qn6eUv
Parachain Finance 4 (PF4), The asset manager for all tokens, endowed with the authority to mint and burn tokens of all types. p8ENzw1bAMXwkUHKySWPhDwD4tN3y4u3DrdAnArS8MBx7MRHP
Parachain Finance 5 (PF5), A substantial amount of funds have been transferred from this account to Binance/other exchange. p8F7wLP9JBWrurpuQD6ctb9p7ns2M5YL25DFsyw8cAUQ4v7rn https://polkadot.subscan.io/account/15BNvxBSi3oZewUURMLHDCzGRbwjhQaf6gRPXSjFA8jRumiK?tab=transfer
Parallel Finance 6 (PF6), A substantial amount of funds have been transferred from this account to Binance/other exchange. p8GLeJ7fK6Vb8mWPofUHNYjLDzD87jw3pGWD4dEfAZjqL5GYd https://polkadot.subscan.io/account/16Q5tghTd2XnZcxssizmAnWNcx3WMoJTHyNaAkFoZQAh4w3q?tab=transfer
[The identity of the above account can be verified through multiple methods, even if all identifying information, including the Parallel Finance Project address label on Subscan, is removed.
For instance, to confirm PF1 https://polkadot.subscan.io/account_list?role=multisigMember&account=152JHcbqqzhWdcz88GLk4n2wYyhfZq6CjxTQa8TbXJxnDZHJ
However, this account was previously labeled as the 'Parallel Finance' multisig, which contains several prominent leaders and organizations from the Polkadot ecosystem, unrelated to Parallel Finance.
e.g
OnFinality.io
Hanwen, founder of Litentry network
Yaoqi, Marketing Director of Parity Asia, Altlayer founder
QinWen, Polkadot web3 Foundation Councilor
Sota, founder of Astar network They can provide testimony that the account belongs to Parallel Finance.
PF1’s polkadot format address 1Gu7GSgLSPrhc1Wci9wAGP6nvzQfaUCYqbfXxjYjMG9bob6 Is among multisig.
Based on our knowledge, Parallel Finance is involved in the following activities:
(1) Disable the Statescan/Subscan explorer service support and conduct the XCM token transfer discreetly, as Subscan does not display XCM transfers from parachains to Polkadot when the parachain is unsupported by Subscan.
(2) Secret Minting and Burning of cDOT Tokens: Transactions indicate the minting of cDOT tokens to self-controlled addresses around May. The Parallel Team announced the closure of the crowdloan service for cDOT-6/13, cDOT-7/14, cDOT-8/15, and cDOT-9/16 on July 19. The corresponding function was offline by August 1, followed by a massive burning of users' existing cDOT tokens by GC, which suggests evidence of Parallel Finance burning user positions instead of returning funds.
(3) Using the general council to remove the balance lock on Yubo's account loan position, recreate the borrowing, and transfer the corresponding DOT to Binance. Subsequently, applying the same general council process to reimpose the lock, effectively emptying it.
(4) mint sDOT to self, and do unstaking cheating, mint USDT to self
(5) mint GLMR, ACA and other parachain’s assets, noticed by Moonbeam team.
(6) Covertly modify the market collateral ratio requirements for lending and borrowing multiple times, followed by the mass execution of liquidations on users' positions.
The evidence provided here is just a small sample of numerous transactions. We have selected only a few due to time constraints, as conducting a thorough analysis from the raw data is not feasible at the moment.
For (2) Secret minting cDot parallel finance block
5930448-2 2024/05 Asset manager PF5 mint PF6 c8-15
5930457-2 2024/05 PF6 crowdloan redeem 100k DOT
5930462-2 2024/05 PF6 transfer DOT to self on polkadot
5931463-2 2024/05 Asset manager PF5 mint PF6 c8-15
5931484-2 2024/05 PF6 crowdloan redeem 100k DOT
5931495-2 2024/05 PF6 transfer DOT to self on polkadot
5934704-2 2024/05 Asset manager PF5 mint PF6 c8-15
5934989-2 2024/05 Asset manager PF5 mint PF6 c7-14
5934991-2 2024/05 PF6 crowdloan redeem 100k DOT
5934998-2 2024/05 PF6 transfer DOT to self polkadot
Burning user position:
6529428-2 The burn operation, executed by 0xrjman, is a single sample. This extrinsic is combined with oracle feed values.
There are simply too many mint/burn operations to keep track of. While they may argue, they will return if the user requests it; they’ve just chosen a poor approach. But how can a user track their previous position?
Checking PF5 and PF6 on Polkadot will reveal more insights. The cash flow provides a good summary, though it lacks a detailed breakdown of the affected users.
For (3) Remove democracy lock of loan position This account is possibly controlled by Yubo. https://polkadot.subscan.io/account/12VhSPt4Lz6d9DWT1s2kTFkpomir3x5GgZNqUW2MnFf9g8z7?tab=transfer p8CSFqpqupT9yM6wNocKMqCagB2oTS5pdf6DKvzRinbKngQZB
5740643-2 2024/04 general council proposed by PF1, remove yubo account balance lock
5740650-2 PF1 vote yes,
5740653-2 TC3 vote yes
5740659-2 PF4 close and execute proposal (so here you may say PF4, asset manager is controlled by Yubo)
5740671-3 Lock removed, so yubo account minting loan position
5740681-4 Yubo XCM transfer borrowed DOT to Polkadot and directly to binance
5740684-2 general council proposed by PF1, set lock back
Everything happened within 10 minutes. This is not the only instance of cheating. As far as we can tell, the following account uses the same pattern (removing the lock method) to evade detection: p8B3QXweBQKzu8DhkggwJqFkUVQ53kB1RejtFQ8q3JMSFqqMd
For (4) mint sDOT cheat
6822134-2 2024/09/29 PF4 asset manager mint 30000 DOT equal sDOT to p8B3CQTp3mAZWQ9ikcDEjmS6ufphivZbpQ9NAx983UVvRqFhK 6822143-2 2024/09/29 unstake
6834989-2 2024/10/2 PF4 asset manager mint 30000 DOT equal sDOT to p8B3QXweBQKzu8DhkggwJqFkUVQ53kB1RejtFQ8q3JMSFqqMd 6834991-2 2024/10/2 unstake
mint USDT cheat
6901070-2 2024/10/14 PF4 asset manager mint p8B3CQTp3mAZWQ9ikcDEjmS6ufphivZbpQ9NAx983UVvRqFhK 30000 DOT equal sDOT and 120000 USDT
6868169-3 2024/10/08 PF4 asset manager minting PF6 the following asset 51391 DOT 31212 USDT 150000 sDOT 10787 ACA 146 GLMR
For (5) Attacking other parachain token 6900855-2 2024/10/14 PF4 asset manager minting 140K GLMR to 0xrjman.
Moonbeam is so great, response and close XCM channel just in a couple of hours. https://forum.moonbeam.network/t/proposal-74-fast-track-proposal-to-secure-159k-glmr-in-response-to-potential-parallel-finance-chain-exploit/1898
All of the events mentioned above took place prior to the hacking incident and are completely unrelated to our activities.
(6) The tx are too many and each one is huge. We did not sugguest using polkadot.js viewing, since it will block your browser. We should wait until explorer backonline.
Based on PF5, PF6 and other known cheating account, we estimate a sum of 2M+ DOT, and other currency, (should be more than $16M given current market price)
As highlighted by the Moonbeam team, the current RPC maintained by Parallel Finance is experiencing instability, and it remains unclear whether this is intentional.
In the event that Parallel Finance shuts down their RPC for verification and investigation, we hope that node providers such as OnFinality and Dwellir, alongside explorers like Statescan and Subscan, will collaborate to restore the explorer and ensure it remains online.
Yubo has a prior criminal record related to the failure to return user funds. https://cointelegraph.com/news/paraspace-team-clashes-with-ceo-over-alleged-whereabouts-of-protocol-funds
With respect to Thomas Schmidt and Jay Yao, we acknowledge that those who stand against unseen injustice are far nobler than we are. We disclose these matters only because doing so does not compromise our interests.
We will wait for Polkadot Community decision.
Alice und Bob affiliated hot wallet here. (Currently on the go)
Thank you for the responsible disclosure.
Would you be willing to negotiate a return of funds to victims not affiliated with Parallel?