BrincFi: Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade
BrincFi's own Head of Development allegedly transferred ownership of the staking contract to himself, upgraded it with a `rescueTokens()` backdoor, and drained $1.1M — then retained a lawyer.
Summary #
BrincFi suffered a Staking / Yield on 2021-12-14, resulting in a loss of approximately $1M.
What happened #
BrincFi's own Head of Development allegedly transferred ownership of the staking contract to himself, upgraded it with a `rescueTokens()` backdoor, and drained $1.1M — then retained a lawyer.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited; insider-introduced backdoor]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — malicious implementation upgrade was the attack vehicle]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
- RD-F-027 — causal : ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
- RD-F-032 — related : Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
- RD-F-043 — causal : ★ Admin = deployer EOA + no multisig transfer within 7 days [via cross-hack: Factor 24: Retained Developer Admin Role Post-Deployment]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — ownership transfer is an on-chain event; contract upgrade is an on-chain event]
- RD-F-122 — related : Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
- RD-F-123 — causal : ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]