Links

MSK Staking Attack

Official Attack Report

On May 30th at 2am EST, we were the target of an attack on our token, MSK. We have evidence of who the attacker might be, but do not want to publicly announce until we are 100% sure.
Fully Operational Features
  • Your Bad Bears and Bad Cubs continue to generate MSK.
  • Staking Rewards continue to accrue
Temporarily Suspended Features
  • MSK Staking Withdrawals and Deposits
  • MSK Uniswap Pool Buys and Sells
  • Serum Drops
Here's what we know:

MSK Withdraw Contract

Contract: 0x12d1c439b8071ebfcf196927b1f61c008854fa0f
Overview
The MSK withdraw contract was developed as a way for users to deposit and withdraw MSK. When their tokens are staked, users can participate in the Gasless Transactions system.
Staked MSK allows you to spend your MSK instantly and without paying gas transfer fees (except a small Ethereum gas fee when minting to the blockchain). We were aware of the security risk posed here, so we spent a significant amount of resources securing our WEB2 architecture and implementing WEB3 multi-signature and one-way user signing to authorize transactions.
The two wallets used for multi-signature is the blockchain developers wallet and a founders wallet. Both needed to generate a digital signature to allow for tokens to be withdrawn.
Where the problem happened
When the blockchain developer deployed the MSK Withdraw contract, they used their own wallet instead of the founder wallet. It's likely this was unintentional, and was a missed step in the heat of launch.
Because the two private keys were held by a single entity, it left a vulnerability in the MSK Withdraw contract.
We do not believe that any of our developers executed the attack. We believe it was someone close to our backend developer who took the opportunity to execute the attack while our developer was traveling.

What happened

  1. 1.
    2:02am EST the attacker began withdrawing tokens
  2. 2.
    A total of 100m MSK (20 withdrawals at 5m each) was withdrawn from the Staking Pool.
  3. 3.
    29 ETH worth of sales into our Uniswap Liquidity Pool (~$50k). 15% of the sales went into our Sell Tax Wallet, which will be used at the right time to bring up the value of MSK.
  4. 4.
    Community was immediately notified.
  5. 5.
    We shut down trading of MSK and turned off Withdraw MSK features.
  6. 6.
    We contracted an audit firm immediately to isolate the issue and identify the source.
  7. 7.
    Attacker moved funds to a MEXC account

What happens next

Notice to attacker, attempt to retrieve funds
We have sent notice to the person we suspect is responsible for the attack. Here is the message:
We are in contact with the Toronto Police Department, a MEXC representative and we have notified our lawyer of an intent to pursue legal action.
We have clear evidence that this mornings staking hack came from you.
If the funds are not returned within 12 hours, we will execute on filing a police report, freeze your MEXC account, and pursue legal action
We will let you keep 15% of the stolen funds as a reward for identifying the security vulnerability.
If I do not hear back from you within 12 hours, we will file a police report and proceed discussions with MEXC and execute legal action.
BeeFrens Launch Schedule stays on track
🐝 BeeFrens is still on schedule to begin private mint on May 31st at 4pm EST. Public Mint is at June 2nd at 4pm EST.
Audit all smart contracts and backend systems
A local blockchain development firm that we hired for the BeeFrens work will conduct in-depth audits and documentation. On their staff is an expert on cyber security and smart contract audits.
Temporarily suspend MSK staking deposits, withdrawals, buys, and sells
Until we complete an audit and refactor our systems, MSK interactions will be put on pause.
Keep building
Hacks are common in the crypto space, and growing projects become targets. Though this attack hurts, it discovered a vulnerability in our contract and are fortunate that the attack happened now and not far into the future when the price of MSK is higher.
The Bad Bears team will continue to manage this issue professionally. If you have any questions, please visit our Discord (https://discord.gg/badbears)