On Jan 25, 2019 there was a successful double-spend attack on the Azart blockchain and despite there being a requirement of 20 confirmations for deposits into the CryptoBridge gateway, 312,754 AZART coins were credited artificially. CryptoBridge increased required confirmations to 200 upon detection of this irregularity and closed deposit and withdrawal functionality immediately. This particular deposit event left CryptoBridge in fractional reserve as the depositor immediately sold these for BTC and then made a withdrawal.
The explorer now supports the new chain, but the double spends had been verifiable here:
https://chain.azartpay.com/tx/5154c6d80d3cb2047abda3e5cd32c1b11f85323cfdbab154e35c62a423b5196e https://chain.azartpay.com/tx/44f6ecad866a787660c4291d379005c06b7fb044c00563d55d540ce5ab731ba3 https://chain.azartpay.com/tx/dbb8c2fd5c26696a11c25317633abf3a16cdc445621199f2c8bf4b687259cc7a https://chain.azartpay.com/tx/a48af7e1c80ee2326ff206c28da5fffa7d328ad72da6fef5fdb780bde1d6b9c2 https://chain.azartpay.com/tx/497d7ac32f9c0209bab8cd020fe7fb35284f27a63a0e8916011f5ef70a97627c
Here is the output from the daemon demonstrating the double-spend:
The following are links demonstrating the attacker(s) having deposited double-spent coins which was then sold for BTC without delay.
Per our listing policy and terms of service, we require projects to reimburse the gateway with the sum created in such exploit to ensure users are able to withdraw their assets. The Azart developers were made aware of this both before and after the exploit and had implicitly agreed to such terms at the time of payment for the listing. A swap was suggested (to be implemented at no cost) so the only cost incurred would be in the form of labor and not require the use of funds.
Representatives from Azart were made aware of this event and that they were responsible for providing compensation, however they chose to either ignore or did not comprehend this fact and stated it was entirely an error and liability for CryptoBridge to correct. At this point, Azart was instructed to contact our legal representation. They then proposed to proceed with the previously suggested coin swap. We reminded them of having offered to waive our fee for doing so to ease the process and arrive quickly at a solution.
Here is the transaction wherein CryptoBridge transferred the remaining balance of the wallet balance for the swap:
The Azart team received the remaining coins left in our gateway in anticipation of the swap, however they never sent new coins to replenish the supply. Azart requested information related to the attacker, which we are not permitted to submit without a police report having been filed. Azart then requested trading be stopped (which is not possible) and then abandoned the conversation. Later they chose to accuse us, instead, of having carried out the attack.
We attempted to engage the Azart team several more times. When reminded of the terms of service, Azart team members refuted its legitimacy and then posted inflammatory and slanderous posts on the BitcoinTalk.org forum and the CryptoBridge subReddit.
Our team again engaged representatives from Azart to attempt to complete the swap as originally discussed, however no reasonable semblance of communication could be established. Azart maintains that CryptoBridge is the source of the exploit but is unable to document any credible evidence to support such a claim. Pursuant to threats of litigation made by Azart, CryptoBridge requested they provide contact information for their legal representatives so we could connect them with our counsel. None were supplied.
Azart has effectively run off with our users’ coins.
Azart then chose to reimburse our users though another gateway and everyone has received an asset DEXAS.AZART, if not they should contact AZART directly. BRIDGE.AZART is no longer backed by any legitimate coins and we do not accept any liability as we were defrauded/stolen from.
We have now determined that there will be no cooperative solution to pursue the swap as originally suggested by the Azart team and will absorb the damages caused by this event to ensure that our users are able to withdraw their Azart coins as soon as possible. We have no further recourse to take this step as well as concurrent legal action to maintain the highest quality experience possible for our users. We will be working to resolve the disparity in balances as soon as possible and appreciate our users in understanding the delay.
At this time, not all users have been reimbursed by Azart despite their claim they would reimburse everyone.