What happened?
On the 4th of October at 8:55am UTC, we received a notification from TrackTx that ~3.6m DEC had been transferred out of the Decentr ERC20 Swap wallet.
You can see this transaction here — https://etherscan.io/tx/0x99325CFAD0039D586B6B1B66F6B1A3F7EF55FEE6255183B81479DB4C63D0AF2B
We began investigating the issue, with our primary concern being protection of further user funds and mitigating the disparity in the token supply.
We took the following actions -
- Immediately issued a new hardware swap wallet and updated the swap address on our Google forms so no users sent funds to the hacked swap address.
- As the team have no tokens vested until January 2022, we clawed back 3.6m tokens from our advisors to counter the missing tokens in the supply — ERC20 tokens are “locked” in the swap wallet and new tokens are issued on the Decenter mainnet. By not having these tokens in the swap address, there were technically additional tokens in the ERC20 circulating supply.
- Received contact from the hacker and tried to negotiate a bounty for return of the DEC tokens. The hacker at this point sold a small amount of tokens to prove they had control of them.
- Drafted an announcement to the community to notify DEC tokens holders of the exploit.
- Continued to negotiate return of the tokens. When it became apparent we wouldn’t be able to negotiate return of the tokens, we immediately pushed the exploit notification to the community to make them aware.
Why did it happen?
The plan for our mainnet launch was to release mainnet with an automated swap process, using a lock and swap ERC20 contract, similar to BAND. Due to time limitations at both our end and our auditors end, this contract was still in the process of being bug tested and audited in the week leading up to the mainnet release.
We were faced with a dilemma. Delay mainnet and wait for the contract (which we are still waiting on) or issue a manual swap wallet. We made a pragmatic choice. Surely it would be ok to use a manual swap wallet while we waited on the contract…
Again, in the sprint to the mainnet release, proper checks and balances were not put in place. We used a wallet from a list of wallets we had created sometime ago. After investigating how this happened, in consultation with a technical auditor, it appears the swap wallet was seeded on a Windows PC that may have been exploited. This is the only plausible explanation our technical auditor could give us for the breach of the private key for that wallet.
Without knowing it, this wallet was most likely compromised before we even used it…
Why will it not happen again?
As part of the process above, we consulted with a technical auditor in traditional IT (this took some time and hence the delay on this TLDR) to try and work out how we may have been exploited and ensure it can not happen again. Obviously as part of this, the number one recommendation was “no crypto on Windows”…While most of our dev team uses Linux or Mac OS, we had a few using Windows and for mixed purposes. The only Windows machines we now have are for QA testing only and they are completely isolated from any DEC of more than 10 DEC.
We have also verified the security of our network, other Decentr assets and of course the native blockchain itself. We found no entry points and no exploits in the blockchain and in the Decentr browser code. We have also checked all of our infrastructure and found 0 evidence of any tampering with our network and our code.
In the short term, the new Decentr ERC20 Swap wallet is a hardware wallet. What it should have been in the first place…
In the medium term, the Decentr ERC20 Swap wallet will be part of an audited ERC20 contract.
Summary
All we can do as a team is apologise to our community. What should have been a moment of celebration, for both the team and the community, the release of our mainnet and mainnet browser, turned into a grim week for all involved.
We can assure you, the team is working as hard as ever and we value every DEC token holder and Decentr browser user. We hate letting you down and we’re sorry we did.
Official Links for Decentr
Website: https://decentr.net
Twitter: https://twitter.com/DecentrNet
Telegram Group: https://t.me/DecentrNet
Telegram ANN: https://t.me/DecentrAnnouncements
Beta Testers: https://t.me/DecentrBetaTesters
Github: https://github.com/Decentr-net
Windows Browser: https://decentr.net/files/DecentrSetupWin.zip
OSX Browser: https://decentr.net/files/MacOS_X64_Decentr_1.1.3.zip
Linux Browser: https://decentr.net/files/Ubuntu_X64_Decentr_1.1.3.zip
Validator and Staking Support: https://discord.gg/9cSxwKyEjR
