On 2022.5.10 UTC 18:40 18:42 18:54 respectively 70 million N3DRs were sold by hackers. the security company Blocksec monitored the exploit.
As explained by the Neorder team “The current situation is that the hacker has cracked the dynamic private key by viewing the source code and continuous attack cracking, and through this private key first stole 79 million locked in team.finance at 18:40 UTC+, and then continued the attack 2 times and sold it.”
Issue Type : Insider job / Rug pull.
Audited code by QuillAudits : https://github.com/neorder-io/contracts (currently publicly inaccessible)
Commit ID : 9cb33d1f06528ace02fd5c71ab994ab41c81455e
We found that the deployed N3DR contract has some changes including
emergencilyTransfer() function which was not available in the audit scope.
The N3DR contract deployed address which has
emergencilyTransfer: The function is protected with
onlyOperatormodifier and hence can be called only by the operator.
emergencilyTransfer, the address which has operator privileges can transfer tokens from any address to any other address.
[0xd0dee0178d9373ff6c2f780b3b13f617aa7b0cbd](https://bscscan.com/address/0xd0dee0178d9373ff6c2f780b3b13f617aa7b0cbd#code) has operator privileges.