On Mar 31st, Deri launched a dedicated AMA on Treasury incident. Below is the detailed & complete AMA recap:
Alpha: Hello, everyone. This is a special AMA for the incident that happened recently.
Since I’ve already disclosed what happened in this twitter thread, I will not repeat this here. https://twitter.com/0x_Alpha/status/1641787814068240384
But again, I apologize for the consequence and the loss that was caused. I am truly sorry.
Here is some other parts of the information that I would like to share:
1. Other assets of the treasury are safe. Most of them are stored in multisig contract, out of touch of this wallet. Even other assets in this phished wallet (e.g. some BUSD or USDC) are safe too. As the attack are through signatures which set the allowance for DERI token only. That is, the attacker cannot touch anything else of which the allowance is not set.
2. This has nothing to do with the protocol. This wallet is only of the treasury wallets to hold asset. It’s never used in protocol deployment or anything related to Deri’s smart contracts.
Q: Are the tokens sold out?
A: Yes, mostly. It’s not difficult to track where the tokens went. We did the analysis and saw most of the 10M DERI had been sold already. Basically you can do it yourself by getting the data from these 3 webpages:
Q: Have you tracked down the hackers and used legal means to request the return of tokens
The attacker used Uniswap, Pancakeswap, Sushiswap, 1inch and MEXC to sell the tokens. MEXC is the only CEX, where we can track the identity. We already contacted MEXC. The account has already been frozen, however, the USDC in the account has already been transferred. We will continue to work MEXC and other agencies to try to find out the attacker.
Q: You have to promise that this kind of thing can’t happen again
A: Yes, this is one of the major topics I will talk about today.
We have already made the plan to enhance the overall security, including the following (and we are stilling working on this):
Secure Storage: Utilize HSM or multisig wallets for enhanced protection. Avoid storing keys on internet-connected devices.
Access Control: Implement multisig wallets with multiple approvals, establish clear access policies, and monitor logs for unusual activities.
Key Rotation: Regularly update keys and revoke compromised/lost ones or when a key holder leaves the organization.
Backup & Recovery: Maintain secure, geographically distributed backups, and establish a well-defined recovery process.
Staff Training: Offer ongoing training on key security, best practices, and conduct security drills to test effectiveness.
Third-Party Audits: Engage reputable auditors to assess treasury key management practices and identify vulnerabilities.
In the past, we paid huge amount of attention to the protocol security, which made Deri Protocol one of the most secure DeFi protocols. However, we neglected the non-protocol part.
That’s such a hard lesson for us: we should be highly careful in any place, not just the protocol-related parts.
Additional to the optimization of security practices, let me talk about what we are gonna do for the incident:
1. For 10M DERI that were dumped to the market. We will launch a more aggressive burning in the next several months to absorb these 10M DERI. $200K from the protocol fee will be allocated to burn DERI. More will be appended if necessary. So the 10M DERI will absorbed by the burning and go to the DEAD lock address on Ethereum
2. The team will compensate the treasury’s 10M DERI loss from its allocated DERI tokens.
Meanwhile, if somebody from the community can help us track the attacker, that would greatly help.
These are the two transactions that stole the DERI tokens from the treasury account:
Among all the following transfers, this is the one that transferred part of the stolen DERI into MEXC:
If anybody can help find out the attacker, we will give out a reward. But more importantly, that’s helping everyone in the Deri community!
Q: I think you should buy 10 million tokens in the secondary market and just destroy them!
Please take a look at the burning plan that I just talked about. Eventually, the 10M DERI token will go to the DEAD address:
Q: You think the hackers can steal the ARB too?
A: No they cannot.
Other assets of the treasury are safe. Most of them are stored in multisig contract, out of touch of this wallet. Even other assets in this phished wallet (e.g. some BUSD or USDC) are safe too. As the attack are through signatures which set the allowance for DERI token only. That is, the attacker cannot touch anything else of which the allowance is not set.
I think I forgot to emphasize that this is not private key leaking. What happened is the phishing website fooled me to sign the message that set a max allowance for their address to transfer DERI from the treasury account (people sign such msg all day, but it’s not a problem if the signed spender is a legit one). So if you understand that, you will know why no other assets can be touched.
Again, I want to apologize for the mistake. I also want to emphasize that this is not the end of the day for Deri. Deri Protocol has just past its second birthday. We’ve been through so many things since we launched. After two years, we are still here! (Many others are not!) What doesn’t kill us just makes us stronger. I guess 2 years journey has gained us some anti-fragileness. I thank you all for holding your faith in Deri. I appreciate if you continue to do so.