IoTeX Bounty: 10% Bounty on Thief: Hacker will not be pursued if stolen assets are returned within 48 hours

BlockBeats News, February 24th, IoTeX announced that, in response to the hack of its cross-chain bridge ioTube, it would offer a 10% white-hat bounty (approximately $440,000) to the attacker, with the condition that approximately $4.4 million in stolen assets be returned within 48 hours, and promised not to pursue legal action.

The attack occurred on February 21st, stemming from the leak of the validator private key on the Ethereum side of ioTube, leading to unauthorized control of the bridge contract. IoTeX stated that this event was a security issue at the cross-chain bridge operation level and did not affect its Layer 1 mainnet or smart contracts themselves.

IoTeX co-founder and CEO Raullen Chai stated that the team had issued a non-liability statement to the attacker via on-chain messages, claiming to have traced the related fund flows, including approximately 66.6 BTC (around $4.3 million) held in multiple Bitcoin addresses. Meanwhile, the recharge addresses of relevant trading platforms have been flagged and frozen.

Security firm PeckShield estimated that the assets involved in this incident exceeded $8 million, with some assets being exchanged for ETH and cross-chain transferred to BTC via THORChain. IoTeX later revised the loss to approximately $4.3 million, stating that this figure did not include additional minted tokens.

IoTeX also announced the release of mainnet upgrade version v2.3.4, adding a default malicious address blacklist mechanism and requiring node operators to complete the upgrade promptly. The team stated that if the assets were not recovered, a compensation plan would be announced within 48 hours.