Bittensor identifies vulnerability behind $8 million exploit in post-mortem

The Opentensor Foundation (OTF), the organization behind the decentralized AI project Bittensor TAO -3.93% , has identified the root cause of an $8 million security exploit on Bittensor wallets, attributing it to a malicious package upload in a post-mortem report .

The attack began at 7:06 p.m. UTC on July 2, according to the foundation, with the attacker draining funds from the affected Bittensor wallets to their own. OTF detected an “abnormality in transfer volume” at 7:26 p.m., subsequently placing the network validators behind a firewall in “safe mode” at 7:41 p.m. to prevent any nodes from connecting to the chain, halting transactions, and allowing the team time to investigate.

“The attack was traced back to the PyPi Package Manager version 6.12.2, where a malicious package was uploaded, compromising user security,” the OTF wrote.

The Bittensor PyPI package is a Python library that enables interaction with the Bittensor network. However, masquerading as a legitimate Bittensor package, the malicious version contained code designed to steal private keys, the foundation said. When users downloaded the package and decrypted their keys, the information was sent to a remote server controlled by the attacker, allowing them to steal funds from the victims.

Anyone who downloaded the malicious package between May 22 and May 29 and then performed certain staking, voting power delegation or transfer operations was likely affected by the vulnerability, according to the OTF.

Those who did not perform these operations or were using a third-party application are unlikely to have been affected, it added, stating the attack did not affect the blockchain itself, and the underlying Bittensor protocol remains “uncompromised and secure.”

Mitigating the vulnerability and tracing the attacker

The OTF said it has removed the malicious 6.12.2 package from the PyPi Package Manager repository and continues to review the Bittensor code on Github, claiming no other vulnerabilities have been identified so far.

After completing the code review, the OTF said the Bittensor blockchain will gradually resume normal operations, enabling users to make transactions again. According to a Bittensor block explorer , the last transaction was finalized around 35 hours ago.

The foundation recommended that affected users create a new wallet and transfer their funds once the blockchain resumes. It also advised upgrading to the latest version of Bittensor if they had not already done so.

The foundation added that it is working with several crypto exchanges and the broader Bittensor community to try and trace the attacker and potentially salvage victims’ funds.

The OTF said it would provide another update within 24 hours and would be enhancing its verification process, audit frequency, security standards and monitoring procedures in the future.

$8 million worth of TAO stolen

Bittensor core developers halted the blockchain network following the suspected security exploit, first noted by onchain analyst ZachXBT.

“Bittensor was halted due to additional thefts earlier today potentially as a result of private key leakage,” he explained in a Telegram update, adding that $8 million worth of TAO — approximately 32,000 native Bittensor (TAO) tokens — were stolen in the attack.

The incident contributed to a 15% decline in the TAO token's value to around $230 on Wednesday, according to The Block's Bittensor price page . TAO is currently trading for $227.59, down 3.5% over the past 24 hours.

TAO/USD price chart. Image: The Block/TradingView .