Just a month ago we launched a tool called Vault Protection and it already proved to be successful against hacks. gotEM, a crowdsourcing DeFi platform enabling private investigations, private security, and humanitarianism, applied this tool and did it just in time — our tool prevented a hack on one of their wallets which would have resulted in a loss of around $55,000.
Vault Protection has a very straightforward purpose — an additional layer of protection for large key vaults and fund wallets to protect them from hacks. This is achieved through wallet whitelisting and withdrawal limiting. Wallet whitelisting allows marking wallets as those that can receive transfers from the project’s vault. Withdrawal limiting, on the other hand, creates an opportunity to set an amount per transfer in a given period of time.
Multiple projects experienced an attack from the same developer — gotEM did as well. But only they had Lossless Protocol integrated into their token which allowed them to use Vault Protection and secure their funds.
Detailed analysis of the hack
On January 11th developer account’s private key gets compromised. This account was the owner of quite a few LP Mining and Staking contracts. There are a few versions of how this could have happened — the developer is saying that he pushed the private key to Github by mistake and then it was stolen by bots. Project owners think the developer did a rug pull. The developer’s account on LinkedIn looks like a fake one.
Next, ownership transferring of the contracts started happening. This is the original owner: Address 0x263b4fcfd4076d527ceb21b84697851a91c6a61f | BscScan . Below you can see how many contracts have had their owners changed.
A new owner of these contracts was set to this address: Address 0x4EDcf70d3AC8Cacb658D43017fc114A0e5875D9A | BscScan
The new owner started draining the LP Mining and Staking contracts. He removed all the LP tokens and project tokens from these contracts.
Then exploiter exchanged the LP tokens for more project tokens and BNB on the PancakeSwap. This pattern was being repeated for all the exploited projects.
After that, he sent all the BNB tokens to another account: Address 0xc43b1f4e7e47be5d5663c3b26e4fb3fe7e217f90 | BscScan
Finally, this other account started doing deposits of 100 and 10 BNB to Tornado Cash.
All the project tokens remain untouched in the exploiter’s account (0x4EDcf70d3AC8Cacb658D43017fc114A0e5875D9A). These tokens are:
- 8,94M in GOTEM
- 161.05M in HBARP
- 524k in MPLAY
- 100.62M in ONEP
- 8,98M in PEE
- 81k in QDrop
At any moment in time, the exploiter could dump these tokens. Except for one — gotEM. Of all those projects only the gotEM token has a Lossless Protocol code integrated. gotEM’s project owner with the help of the Lossless team enabled Vault Protection for this exploiter’s address. With it enabled exploiter is no longer able to dump the tokens. The only thing he can do is to send these tokens to the gotEM project owner.
About Lossless
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from our known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Our protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Our solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.
Twitter | Telegram | Website | Whitepaper
