Post Mortem
On Saturday, at about 15:00 UTC the DAppNode smart contracts were exploited. The attacker gained control over the DAppNode Deployer address via the Profanity vulnerability. Then, they transferred the ownership of the ProxyAdmin contract to the attacker address and performed multiple upgrade and call transactions.
They upgraded the TokenDistros that held NODE in the NODEstream, but also they upgraded the Unipool contracts, which were used for Liquidity Mining and held LP tokens from Uniswap and Sushiswap. It also upgraded the uniPool used for Governance Staking (just NODE).
With this upgrade, they were able to withdraw all NODE and LP tokens from the contracts. They then proceed with two tracks:
-
They bridged the 19,260,888 NODE that they stole from the token distros to Gnosis Chain, and dumped it for 552.612 GNO. They then bridged this GNO back to Mainnet Ethereum.
-
With the stolen LP tokens, they withdrew the liquidity from Uniswap and Sushiswap, for a total of 57.08 ETH and 1,850,652.30 NODE. This NODE was dumped on Ethereum for another 0.64 ETH.
Then they transferred both the ETH and the GNO to another address where they consolidated the hacked tokens from the Giveth and Dappnode attacks, swapped the GNO for ETH and proceeded to send the ETH into Tornado.
You can see all the transactions related to the hack here.
Recovery Plan
There were three main groups affected by the hack:
- Those whose LPs were stolen from the uniPool contract
- Those who were providing liquidity outside of the Liquidity Mining program and got dumped on
- All NODE holders
Pending confirmation from legal counsel, we plan to return all ETH and GNO to the affected parties and we will do a re-genesis of the token to return all balances of NODE. This would bring everyone into the same state as they were before the hack.
For this, we are extracting the list of LP holders at the block before the attack. Those who had their LPs stolen will get their ETH back. Those who got dumped on will get the GNO or ETH extracted from the pools, weighted by the amount of LP they had. All will receive their NODE back with the regenesis.
We will also capture the amount of NODE people had in their NODEstreams at the block before the hack, and will be able to recover this as well.
We will publish the lists of affected addresses and the corresponding refund amounts publicly once we have done the calculations.
The date for the regenesis will be announced once all the numbers have been triple checked and validated.
Thank you for your continued patience and support. We are taking this challenge as an opportunity to better DAOify, improve and continue our mission together.