Issue
On 2022.5.10 UTC 18:40 18:42 18:54 respectively 70 million N3DRs were sold by hackers. the security company Blocksec monitored the exploit.
As explained by the Neorder team “The current situation is that the hacker has cracked the dynamic private key by viewing the source code and continuous attack cracking, and through this private key first stole 79 million locked in team.finance at 18:40 UTC+, and then continued the attack 2 times and sold it.”
Issue Type : Insider job / Rug pull.
Audited code by QuillAudits : https://github.com/neorder-io/contracts (currently publicly inaccessible)
Commit ID : 9cb33d1f06528ace02fd5c71ab994ab41c81455e
We found that the deployed N3DR contract has some changes including emergencilyTransfer() function which was not available in the audit scope.
The N3DR contract deployed address which has emergencilyTransfer(): https://bscscan.com/address/0xa01c017b467eC041806702F7B44822Eb76183Eaa#readContract
emergencilyTransfer: The function is protected with onlyOperator modifier and hence can be called only by the operator.emergencilyTransfer, the address which has operator privileges can transfer tokens from any address to any other address.0xd0dee0178d9373ff6c2f780b3b13f617aa7b0cbd has operator privileges.