A report in Bankinfosecurity said Queensland police had launched a criminal investigation into the case. The two companies settled outside court last week.
Limited details about the case have been made public, but more of the story emerged at last week's AusCERT conference on the Gold Coast when an officer with Queensland's Financial and Cyber Crime Group mentioned the criminal probe, keeping the names of the companies out of his talk but pointing to the case as one that illustrated the risks of doing business deals with cryptocurrencies.
Bankinfosecurity said it had consulted many security professionals to try and ascertain the details and Rendition Infosec chief Jake Williams, a former NSA hacker, has discovered the business deal between Byte Power Group and Soar Labs. The details had been confirmed by the Queensland Police on Tuesday.
While the 49% stake was valued at US$5 million, Soar Labs only contributed US$100,000 in cash with the balance paid as 306 million soarcoins; at that time a soarcoin was worth US$0.016.
Problems arose in January this year, with Byte Power Group informing the ASX that 79.2 million soarcoins held by Byte Power Party and another 34.6 million soarcoins held by its chief executive, Alvin Phua, had been temporarily suspended.
Two days before this, Soar Labs had claimed that Byte Power Group had not sold the soarcoins it owned at "manageable levels" and using what it obtained to pay off debts, which included pending salaries of directors.
The ASX was informed by Byte Power Group on 2 February that the soarcoins had been pilfered from its e-wallets on January; it said 214 million soarcoins worth about US$6.6 million at the time had been taken.
The Singapore High Court came into the picture when Byte Power Group sought and obtained an injunction against Soar Labs, freezing some of its bank accounts and e-wallets.
The method by which Soar Labs took the soarcoins was by using a backdoor in the soarcoin code, according to Queensland Police. This was confirmed by a German company.
A spokesperson for Byte Power Group said it could not provide any more details apart from what it had provided to the ASX. But the spokesperson was willing to say that "the way in which the smart contracts were written allowed them [Soar Labs] to remove the coins, which the company itself wasn't aware of at the time until the coins were actually taken".
Bankinfosecurity said it had asked Nicholas Weaver, a researcher with the International Computer Science Institute, to look at the soarcoin code. He quickly discovered a zero-fee transaction function that could only be accessed by the owner of the smart contract – Soar Labs.
Said Weaver: "If I'm the account owner, I can call that function and transfer a balance from anybody to anybody. It's best described as a backdoor hiding in plain sight."
He added that the code meant the owner of the contract could rewrite balances at will.
Under a settlement reached by the two companies, Soar Labs will transfer its 49% stake in Byte Power Party to Byte Power Group, pay US$1.7 million and also give Byte Power Group five million soarcoins.