Bifrost releases the technical investigation of the abnormal movement of BNC on July 6th.
They have determined that while their on-chain code has been rigorously audited and battle-tested, the security of their off-chain script code was overlooked.
The multi-signature script private key was stored in plain text on a configuration file of the hacked script server.
The automated fee replenishment script had a 100 BNC limit but no limit on call frequency, so it was easily circumvented by utilizing batch calls.
The 3/5 multi-signature for the script is useless because it is not verified during an automated multi-signature.
Bifrost is taking various steps to prevent future incidents from occurring, including comprehensively reviewing its off-chain code and moving its scripts on-chain where possible
