Our project was hacked, 2 million tokens stolen, liquidity drained, what next?

ItsNotSean

member

Activity: 70

Merit: 12

Quote from: throwaway_help on May 19, 2022, 08:04:49 AM

The contract was audited by a reputable company, so slim chance it has any vulnerabilities, more likely an end device was hacked, but we're still trying to determine that, also, my team doesn't have low technical knowledge, I'm just conducting my own investigation to present some solutions during our meeting.

Code audits are helpful but they are by no means definitive proof of anything. More than a few projects that were audited by established and respected teams have gone on to have exploits discovered upon release.

The most recent publicised one I can think of was critical exploit in MinSwap's smart contract(s) discovered by Wingriders (a competitor swap/dex on the Cardano network) once they went open source.

throwaway_help

newbie

Activity: 7

Merit: 0

Quote from: g-uid on May 19, 2022, 08:30:37 AM

Quote from: throwaway_help on May 19, 2022, 08:04:49 AM

Quote from: hugeblack on May 19, 2022, 08:00:07 AM

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

is there a possibility to cancel the tokens he stole without having to migrate to a new contract?

If there is a line in the smart contract that allows you to freeze funds, you will be able to do it even if the funds are in wallets. Otherwise, you will need to completely change the smart contract.

Generally, finding a vulnerability in a smart contract is not an easy so either your technical team has low technical knowledge or there is a possibility of an internal hack, in any case you need to study how the hack occurred to ensure that it does not happen again.

The contract was audited by a reputable company, so slim chance it has any vulnerabilities, more likely an end device was hacked, but we're still trying to determine that, also, my team doesn't have low technical knowledge, I'm just conducting my own investigation to present some solutions during our meeting.

suggest you share the contract if you want more informed opinions

I would be breaking my confidentiality agreement if I did so, I can't do that until the whole thing is public.

g-uid

member

Activity: 259

Merit: 18

Quote from: throwaway_help on May 19, 2022, 08:04:49 AM

Quote from: hugeblack on May 19, 2022, 08:00:07 AM

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

is there a possibility to cancel the tokens he stole without having to migrate to a new contract?

If there is a line in the smart contract that allows you to freeze funds, you will be able to do it even if the funds are in wallets. Otherwise, you will need to completely change the smart contract.

Generally, finding a vulnerability in a smart contract is not an easy so either your technical team has low technical knowledge or there is a possibility of an internal hack, in any case you need to study how the hack occurred to ensure that it does not happen again.

The contract was audited by a reputable company, so slim chance it has any vulnerabilities, more likely an end device was hacked, but we're still trying to determine that, also, my team doesn't have low technical knowledge, I'm just conducting my own investigation to present some solutions during our meeting.

suggest you share the contract if you want more informed opinions

throwaway_help

newbie

Activity: 7

Merit: 0

Quote from: hugeblack on May 19, 2022, 08:00:07 AM

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

is there a possibility to cancel the tokens he stole without having to migrate to a new contract?

If there is a line in the smart contract that allows you to freeze funds, you will be able to do it even if the funds are in wallets. Otherwise, you will need to completely change the smart contract.

Generally, finding a vulnerability in a smart contract is not an easy so either your technical team has low technical knowledge or there is a possibility of an internal hack, in any case you need to study how the hack occurred to ensure that it does not happen again.

The contract was audited by a reputable company, so slim chance it has any vulnerabilities, more likely an end device was hacked, but we're still trying to determine that, also, my team doesn't have low technical knowledge, I'm just conducting my own investigation to present some solutions during our meeting.

hugeblack

legendary

Activity: 2506

Merit: 3645

thechange.ltd - Exchange 250+ Coins With 0% Fees

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

is there a possibility to cancel the tokens he stole without having to migrate to a new contract?

If there is a line in the smart contract that allows you to freeze funds, you will be able to do it even if the funds are in wallets. Otherwise, you will need to completely change the smart contract.

Generally, finding a vulnerability in a smart contract is not an easy so either your technical team has low technical knowledge or there is a possibility of an internal hack, in any case you need to study how the hack occurred to ensure that it does not happen again.

throwaway_help

newbie

Activity: 7

Merit: 0

Quote from: masterrex on May 19, 2022, 06:38:19 AM

Damnit this incident is very common nowadays, and this is bad the negative side of Defi hype is full of exploits coming from different angles. Anyway, I think this is a technical question that's why it's better to ask this problem to someone who has that technical expertise about smart contract functions, But I believe some of the technical people are here on this forum so just wait for other users reply.

Yes my friend, this is why I asked here, I thought this is the best place to get an informed answer.

masterrex

full member

Activity: 1820

Merit: 107

Damnit this incident is very common nowadays, and this is bad the negative side of Defi hype is full of exploits coming from different angles. Anyway, I think this is a technical question that's why it's better to ask this problem to someone who has that technical expertise about smart contract functions, But I believe some of the technical people are here on this forum so just wait for other users reply.

vv181

legendary

Activity: 1932

Merit: 1273

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

~ is there a possibility to cancel the tokens he stole without having to migrate to a new contract? He used the tokens to drain our pool on the dex we're using, so it stands to reason that any liquidity we use to repopulate the pool will be drained in a similar manner.

There is none.

How could you expect such things is possible? especially since the attack vectors are unknown and even if it is known, the fund that have been lost has nearly zero chance to get it back. Have you heard if there is any vulnerability of another project that results in the funds can be retrieved back? I don't think so. Why exactly would you think that possible anyway.

asriloni

legendary

Activity: 3038

Merit: 1024

Leading Crypto Sports Betting & Casino Platform

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

So like the title says, our project got hacked, we don't even know the attack vector, how the wallets were accessed and the funds drained, we hired a security company and we're waiting on their report and following up with legal action as soon as we have some answers and IP addresses.

Im feeling so bad with it. It seems like that hacked may have drained the whole of funds in the wallet, right?
There shall be a vulnerability in the code, this may be right as your wallet can be accessed. This pretty similar thing with what happened with vulcan forged.

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

For now, I - a non-technical member of the team- have a question, is there a possibility to cancel the tokens he stole without having to migrate to a new contract? He used the tokens to drain our pool on the dex we're using, so it stands to reason that any liquidity we use to repopulate the pool will be drained in a similar manner.

No chance for this. That's why as developers and you must also put very important function to your smartcontract to avoid this like frozen or blocking function into your smartcontract. if your smartcontract didn't contain this function and that's impossible to cancel the tokens.

throwaway_help

newbie

Activity: 7

Merit: 0

Quote from: g-uid on May 18, 2022, 09:46:47 AM

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

So like the title says, our project got hacked, we don't even know the attack vector, how the wallets were accessed and the funds drained, we hired a security company and we're waiting on their report and following up with legal action as soon as we have some answers and IP addresses.

For now, I - a non-technical member of the team- have a question, is there a possibility to cancel the tokens he stole without having to migrate to a new contract? He used the tokens to drain our pool on the dex we're using, so it stands to reason that any liquidity we use to repopulate the pool will be drained in a similar manner.

depends on a number of variables. without details of the token/contract one cannot say for sure.

"we don't even know the attack vector"
how well do you know your team?

Well, I know my team fairly well and can access most of the data I need, what more details would you need to know something like this?
I'm merely asking about the possibility of canceling tokens associated with a certain address.

throwaway_help

newbie

Activity: 7

Merit: 0

Quote from: Bitstar_coin on May 18, 2022, 10:07:42 AM

"How well do you know your team?" That's the big question and probably one of the important aspects of a hacking case. People form teams from different parts of the world with different professions so obviously, you can only know them through their online profiles (thanks to LinkedIn) but you don't actually know the motives of these People and how trusted they are.
My point is, perhaps this is an inside job.

Am not a tech person but I understand that the best way is changing the smart contract address to render the stolen tokens useless or ask the dex for help by stopping trading so they can trace and block that address assuming this only trading in this dex.

Changing the contract address at this stage would probably cost us more than the theft itself did, so we're leaving this nuclear option as a last resort.

Bitstar_coin

hero member

Activity: 2408

Merit: 693

SecureShift.io | Crypto-Exchange

"How well do you know your team?" That's the big question and probably one of the important aspects of a hacking case. People form teams from different parts of the world with different professions so obviously, you can only know them through their online profiles (thanks to LinkedIn) but you don't actually know the motives of these People and how trusted they are.
My point is, perhaps this is an inside job.

Am not a tech person but I understand that the best way is changing the smart contract address to render the stolen tokens useless or ask the dex for help by stopping trading so they can trace and block that address assuming this only trading in this dex.

g-uid

member

Activity: 259

Merit: 18

Quote from: throwaway_help on May 18, 2022, 06:48:16 AM

So like the title says, our project got hacked, we don't even know the attack vector, how the wallets were accessed and the funds drained, we hired a security company and we're waiting on their report and following up with legal action as soon as we have some answers and IP addresses.

For now, I - a non-technical member of the team- have a question, is there a possibility to cancel the tokens he stole without having to migrate to a new contract? He used the tokens to drain our pool on the dex we're using, so it stands to reason that any liquidity we use to repopulate the pool will be drained in a similar manner.

depends on a number of variables. without details of the token/contract one cannot say for sure.

"we don't even know the attack vector"
how well do you know your team?

throwaway_help

newbie

Activity: 7

Merit: 0

So like the title says, our project got hacked, we don't even know the attack vector, how the wallets were accessed and the funds drained, we hired a security company and we're waiting on their report and following up with legal action as soon as we have some answers and IP addresses.

For now, I - a non-technical member of the team- have a question, is there a possibility to cancel the tokens he stole without having to migrate to a new contract? He used the tokens to drain our pool on the dex we're using, so it stands to reason that any liquidity we use to repopulate the pool will be drained in a similar manner.

Topic: Our project was hacked, 2 million tokens stolen, liquidity drained, what next? (Read 126 times)