ioTube Security Incident Update No.3 : Full Recovery & Compensation Plan

This is our third update following the ioTube bridge security incident on February 21 and Mainnet v2.3.4 activation on February 24. The IoTeX team has been working around-the-clock with major exchanges, security experts, and global law enforcement to trace and recover the stolen funds. While the IoTeX L1 was unaffected by the incident and remains secure, we recognize the real impact this incident has had on ioTube users.

Regardless of the recovery outcome, the IoTeX Foundation is committed to making all affected users whole, ensuring every affected user receives 100% compensation. This blog outlines a definitive compensation plan to provide immediate relief to the vast majority of community users while maintaining the long-term stability and sustainability of the ecosystem.

Investigation & Asset Recovery Update

Since the security incident, the IoTeX Foundation has taken immediate and aggressive action to track and recover the affected assets. Full details of our investigation and asset recovery status can be found in this blog, and are summarized below.

• On-Chain Tracing: 100% of stolen fund movements have been successfully traced. We are monitoring the addresses holding the stolen funds 24/7 in coordination with exchanges and security firms.
  ➔ CIOTX: Out of the 410M unauthorized CIOTX minted by the attacker, 86%+ is permanently locked/frozen via chain-level controls deployed in Mainnet v2.3.4, while 12.8% has been traced to Binance and effectively frozen. Only 0.4% (1.7M CIOTX) swapped via DEX is considered at risk.
  ➔ Bridge Reserve Assets (USDC, USDT, WBTC, ETH): The stolen bridge reserve assets were converted to ~2,183 ETH of which ~1,572 ETH was bridged to Bitcoin via THORChain. All 4 Bitcoin addresses holding 66.78 BTC in total are under 24/7 monitoring. These funds remain unspent.
• Whitehat Bounty: We have issued an open on-chain message to the attacker offering a 10% Whitehat Bounty in exchange for the safe return of the stolen funds. The window for this offer closes February 25. After that, every legal, technical, and investigative tool at our disposal will be deployed without reservation.
• Law Enforcement & Security Partners: Formal reports have been filed with the FBI and global law enforcement partners. We are actively cooperating on preservation requests and asset freeze actions across every platform relevant.

Full Compensation Plan & Eligibility

⭐️ Eligibility Criteria: Any wallet owners with legitimate bridged assets from Ethereum (USDC, USDT, ETH, WBTC) held on IoTeX L1 at the time of the incident will be eligible for full compensation.

The IoTeX Foundation will ensure every affected user receives 100% compensation. To maximize the number of users made whole immediately, we are implementing a tiered compensation model:

Tier 1: Immediate Full Recovery

• Eligibility: Total affected balance up to $10,000 USD (equivalent).
• Resolution: 100% of lost assets will be claimable in stablecoins or native assets on Ethereum upon launch of the Claims Portal.
• Impact: Tier 1 covers >90% of affected users, ensuring the vast majority of the IoTeX community receives immediate compensation.

Tier 2: Staged Full Recovery (with bonus)

• Eligibility: Total affected balance exceeding $10,000 USD (equivalent).
• Resolution: The first $10,000 will be available for immediate claim upon launch of the Claims Portal. The exceeding balance will be distributed in equal quarterly tranches over 12 months. Tier 2 claimants will also receive an additional 10% bonus paid in 12-month staked IOTX as further compensation for the staged payback period.
• Impact: Tier 2 ensures the ~10% of users with >$10,000 of impacted funds are compensated 110% of the impacted value over time, while maintaining the long-term stability of the IoTeX Network.

Note: any addresses identified by security partners as belonging to the attacker, associated with exploit entities, or participating in post-exploit arbitrage will not be eligible for compensation.

Claims Portal & Recovery Process

To ensure a verifiable and streamlined process to make all affected users whole, the IoTeX Foundation is launching a Recovery Deposit Address and Claims Portal that will allow affected users to request and receive compensation in a secure fashion. These will go live on Friday, February 27.

At a high-level, the Recovery Deposit Address on the IoTeX blockchain will serve as the deposit hub for the bridged assets (IoTeX-side) that mirror the affected assets (Ethereum-side) that were stolen. Once the bridged assets (IoTeX-side) are transferred to the Recovery Deposit Address, affected users will submit a claim via the Claims Portal with information regarding their wallet, impacted asset(s), deposit transaction hash(es), and contact info. Once the claim is verified, the IoTeX Foundation will issue the equivalent amount of deposited assets on the Ethereum blockchain to affected users. The end-to-end process is detailed below.

Step 1: Official Recovery Deposit Address & Claims Portal Link

The IoTeX Foundation will share an official Recovery Deposit Address and Claims Portal link through verified channels (official IoTeX website, Twitter/X, Discord, and Telegram) on Friday, February 27.

⚠️ SECURITY WARNING: Never trust any information sent via DM or from unverified sources. Verify the address and link across at least two official IoTeX channels before proceeding.

Step 2: Asset Preparation & Deposit

1. Withdraw Assets: If your affected bridged assets (WBTC, ETH, USDC, USDT) are currently deployed in DeFi protocols on IoTeX (such as lending platforms or liquidity pools), please withdraw them back to your IoTeX wallet. If your assets are already in your IoTeX wallet, you may skip this step.
2. Wallet Check: make sure you have access to your IoTeX wallet address on the Ethereum blockchain as compensation will be made to the same wallet address on Ethereum. If you cannot readily access your IoTeX wallet address on Ethereum (e.g., Ledger users), transfer your assets to a single new IoTeX wallet that is accessible on both IoTeX and Ethereum. DO NOT split your individual asset balances into multiple wallets (e.g., 100 USDT -> 50 USDT, 25 USDT, 25 USDT), as this will result in loss of eligibility.
3. Transfer: Send the affected bridged assets directly from your IoTeX wallet to the designated Recovery Deposit Address in a single transaction per asset type (e.g., only one transaction for ETH, only one transaction for WBTC, etc.) and record each individual transaction hash.

⚠️ COMPLIANCE NOTE: Before sending affected bridged assets to the Recovery Deposit Address, DO NOT split your asset balances into multiple wallets or restructure your assets to circumvent tier thresholds. Violation of these rules will result in flagged claims, delayed processing, or loss of eligibility. Any wallets linked to the exploiter or any post-exploit nefarious activities will be flagged as ineligible for compensation.

Step 3: Claim SubmissionOnce your deposit to the Recovery Deposit Address is confirmed on-chain, submit a formal claim through the Claims Portal after it goes live on Friday, February 27 with the following information:

• IoTeX wallet address that deposited assets to Recovery Deposit Address
• Asset types and amounts deposited to Recovery Deposit Address
• Transaction hashes of your deposits (one hash per asset type)
• Contact information (email, Telegram, and/or Discord)

Step 4: Verification & Payout

The IoTeX Foundation will review and verify each claim against the on-chain data and the actual deposit transactions made by each user. Compensation will then be made accordingly on the Ethereum blockchain based on the tiers noted above (i.e., Tier 1: ≤$10k, Tier 2: >10k) once review and verification are completed.

Step 5: Ongoing Transparency

The Foundation will publish periodic Recovery Reports detailing the volume of claims received, the total value processed, and the status of remaining obligations.

A Message from the IoTeX Foundation

We take full responsibility for this incident, and we are moving with urgency to make every affected user whole. The IoTeX Foundation will hold an independent security audit of all bridge infrastructure and are committed to sharing findings openly and implementing structural safeguards to prevent this from ever happening again. The strength of any network is ultimately measured by how it responds to adversity and we intend to set the standard.

Amidst this bridge exploit, the fundamentals of the IoTeX Network remain strong – the IoTeX L1 blockchain remains secure, our core team is intact and more committed than ever, and our community's passion to build the future of DePIN and Real-World AI is unwavering. The best days of IoTeX are still to come. Thank you for your patience and continued support.

- The IoTeX Foundation