MSK Staking Attack
On May 30th at 2am EST, we were the target of an attack on our token, MSK. We have evidence of who the attacker might be, but do not want to publicly announce until we are 100% sure.
Here's what we know:
Staked MSK allows you to spend your MSK instantly and without paying gas transfer fees (except a small Ethereum gas fee when minting to the blockchain). We were aware of the security risk posed here, so we spent a significant amount of resources securing our WEB2 architecture and implementing WEB3 multi-signature and one-way user signing to authorize transactions.
The two wallets used for multi-signature is the blockchain developers wallet and a founders wallet. Both needed to generate a digital signature to allow for tokens to be withdrawn.
Where the problem happened
When the blockchain developer deployed the MSK Withdraw contract, they used their own wallet instead of the founder wallet. It's likely this was unintentional, and was a missed step in the heat of launch.
Because the two private keys were held by a single entity, it left a vulnerability in the MSK Withdraw contract.
We do not believe that any of our developers executed the attack. We believe it was someone close to our backend developer who took the opportunity to execute the attack while our developer was traveling.
- 1.2:02am EST the attacker began withdrawing tokens
- 2.A total of 100m MSK (20 withdrawals at 5m each) was withdrawn from the Staking Pool.
- 3.29 ETH worth of sales into our Uniswap Liquidity Pool (~$50k). 15% of the sales went into our Sell Tax Wallet, which will be used at the right time to bring up the value of MSK.
- 4.Community was immediately notified.
- 5.We shut down trading of MSK and turned off Withdraw MSK features.
- 6.We contracted an audit firm immediately to isolate the issue and identify the source.
- 7.Attacker moved funds to a MEXC account
Notice to attacker, attempt to retrieve funds
We have sent notice to the person we suspect is responsible for the attack. Here is the message:
We are in contact with the Toronto Police Department, a MEXC representative and we have notified our lawyer of an intent to pursue legal action.We have clear evidence that this mornings staking hack came from you.If the funds are not returned within 12 hours, we will execute on filing a police report, freeze your MEXC account, and pursue legal actionWe will let you keep 15% of the stolen funds as a reward for identifying the security vulnerability.If I do not hear back from you within 12 hours, we will file a police report and proceed discussions with MEXC and execute legal action.
BeeFrens Launch Schedule stays on track
🐝 BeeFrens is still on schedule to begin private mint on May 31st at 4pm EST. Public Mint is at June 2nd at 4pm EST.
Audit all smart contracts and backend systems
A local blockchain development firm that we hired for the BeeFrens work will conduct in-depth audits and documentation. On their staff is an expert on cyber security and smart contract audits.
Temporarily suspend MSK staking deposits, withdrawals, buys, and sells
Until we complete an audit and refactor our systems, MSK interactions will be put on pause.
Hacks are common in the crypto space, and growing projects become targets. Though this attack hurts, it discovered a vulnerability in our contract and are fortunate that the attack happened now and not far into the future when the price of MSK is higher.