You've probably heard the news by now. The wLEO contract was exposed to a hack earlier today on Ethereum which led to a massive drain on the pool.
Fortunately, many users were quick to realize that these were false transactions and they removed liquidity from the pool as soon as they found out. This reduced the hackers ability to steal ETH from the pool.
Earlier today, we managed to shut down the contract and withdraw the remaining liquidity from the pool (about 114 ETH).
It will take us some time to snapshot the balances before the hack and figure out who had withdrawn liquidity vs. who was still in the pool at the time of the hack, but we will continually work on it and keep you posted on the distribution of this ETH back to LPs.
From what I keep hearing, this has happened to many other pools on Uniswap. The token issuing contract/address gets exposed and then someone takes advantage of it to mint infinite tokens and rug pull the Uniswap pool to steal the Ethereum.
What we know is that the hacker in question stole ETH from the pool by minting WLEO to himself and then swapping it into the market for ETH.
The ETH was then sent to Binance (Binance has been contacted but there may be nothing they can do since the hacker seems to have used non-kyc'd accounts to receive the ETH).
The hacker's ETH address: https://etherscan.io/address/0x8c9a02c89c96940e377052a9be0c7326f89a2495
The flaw doesn't appear to be from the wLEO oracle on Hive (meaning that they didn't push through a false conversion).
This narrows it down to just a few possibilities for how they exposed the wLEO contract. We'll release more details as we continue to investigate and narrow it down further.
What we don't know is how the hacker was able to expose the WLEO contract in order to do this. Several of us and community members are researching this to find out.
Is LEO Safe?
One of the top questions right now is about LEO. In short, yes - LEO is safe. This hack only impacts WLEO on Ethereum and hasn't exposed any flaws in the Hive operations of LEO / LeoFinance.
It's a similar situation to if WBTC got hacked. If WBTC is hacked, then Bitcoin itself isn't exposed. Only the WBTC on Ethereum which represents BTC held in contracts is exposed. This means that the hacker can ravage the price of WBTC but they cannot impact the supply of BTC on the Bitcoin blockchain.
Similar situation here to WLEO / LEO -- the hacker has impacted the price and supply of WLEO but cannot touch LEO itself since those WLEO's they minted cannot be unwrapped into LEO.
What About the Project?
LeoFinance is so much more than WLEO. WLEO has been 1 in a long line of developments for our project - 1 that helped us reach out into the broader world of crypto. By stepping out into that broader world, we attracted a lot of attention. Attention has its positives and negatives.
While we still don't know for sure where the attack came from, it does seem that it is most likely from Ethereum and not someone on Hive as there were other ways to exploit the system through Hive that they did not take advantage of.
Just as ETH recovered from the DAO incident and Bitcoin has recovered from the many attacks/exchange hacks, so too will LEO will recover from this hack.
The latest release of https://LeoFinance.io was slated to come out on Monday (tomorrow) to offer a whole set of new features including a refined onboarding process, Metamask logins/signups, WLEO operations, revamped wallet UI and LeoInfra plug-ins.
This temporary setback will cause a slight delay in the release of the new LeoFinance UI update. We're still aiming to release it this week, but will focus on fixing the issues with WLEO first along with sorting through the remaining LP balances.
What doesn't kill us, makes us stronger.
This is a bump in the road for LEO but our roadmap is still our roadmap. We'll continue developing and buidling for Hive and for LeoFinance.
Thank You to Everyone on Hive
Since the hack earlier today, so many people have reached out to show their support for LEO. Many are avid users of our platform and others are supporters, buidlers and community members from all around Hive.
To everyone who has reached out and offered a hand to help, thank you. It means a lot and your support is what makes getting through this so much easier. This is one of the darkest times for our project as we work on finding the flaw and rebuidling stronger than ever.
Hive is a battle-hardened community and we all bonded in blood as we fought in the trenches against Steemit/Tron. It will take time to heal, but we'll get through this and come out the other side better for it.
Posted Using LeoFinance Beta