$NODE hack post-mortem and recovery plan

Post Mortem

On Saturday, at about 15:00 UTC the DAppNode smart contracts were exploited. The attacker gained control over the DAppNode Deployer address via the Profanity vulnerability. Then, they transferred the ownership of the ProxyAdmin contract to the attacker address and performed multiple upgrade and call transactions.

They upgraded the TokenDistros that held NODE in the NODEstream, but also they upgraded the Unipool contracts, which were used for Liquidity Mining and held LP tokens from Uniswap and Sushiswap. It also upgraded the uniPool used for Governance Staking (just NODE).

With this upgrade, they were able to withdraw all NODE and LP tokens from the contracts. They then proceed with two tracks:

  1. They bridged the 19,260,888 NODE that they stole from the token distros to Gnosis Chain, and dumped it for 552.612 GNO. They then bridged this GNO back to Mainnet Ethereum.

  2. With the stolen LP tokens, they withdrew the liquidity from Uniswap and Sushiswap, for a total of 57.08 ETH and 1,850,652.30 NODE. This NODE was dumped on Ethereum for another 0.64 ETH.

Then they transferred both the ETH and the GNO to another address where they consolidated the hacked tokens from the Giveth and Dappnode attacks, swapped the GNO for ETH and proceeded to send the ETH into Tornado.

You can see all the transactions related to the hack here.

Recovery Plan

There were three main groups affected by the hack:

  1. Those whose LPs were stolen from the uniPool contract
  2. Those who were providing liquidity outside of the Liquidity Mining program and got dumped on
  3. All NODE holders

Pending confirmation from legal counsel, we plan to return all ETH and GNO to the affected parties and we will do a re-genesis of the token to return all balances of NODE. This would bring everyone into the same state as they were before the hack.

For this, we are extracting the list of LP holders at the block before the attack. Those who had their LPs stolen will get their ETH back. Those who got dumped on will get the GNO or ETH extracted from the pools, weighted by the amount of LP they had. All will receive their NODE back with the regenesis.

We will also capture the amount of NODE people had in their NODEstreams at the block before the hack, and will be able to recover this as well.

We will publish the lists of affected addresses and the corresponding refund amounts publicly once we have done the calculations.

The date for the regenesis will be announced once all the numbers have been triple checked and validated.

Thank you for your continued patience and support. We are taking this challenge as an opportunity to better DAOify, improve and continue our mission together.

11 Likes

very well thought out, although some ppl that bought cheap after the hack might complain, but we shouldn’t care.

3 Likes

Yes, I agree. But buying the token after the hack was a speculative move and the buyers took a calculated risk while doing so. We should prioritise the stability of the entire system and those providing liquidity before anything else.

4 Likes

appreciate the transparency. very admirable.

4 Likes

I totally agree, it was just speculation

Hi @Lanski as a stake holder in Ethereum and GC, do you mean that I will get back all the ETH that I had as collateral in the Ethereum network? And all the NODEs that I had in stake both in the LP and in the NODEstream of the GC? Thx.

Thank you @Lanski for sharing the post-mortem. This is sad day for Dappnode and I wanted to share my warm wishes to the whole team in those difficult time :yellow_heart: All in all the Dappnode is still force to be reckoned with in the blockchain space by empowering thousands of independent operators to play a role in the decentralization effort whether it be through the OS or initiatives such as the Web3Signer UI or its community.

I had a question about the nature of the hack. How did we confirm that the Profanity vulnerability was the actual exploit leading to the hack? My understanding is that this tool’s purpose is to generate private keys to an address containing a vanity string. I see nothing resembling such a vanity string in the deployer address 0x3793A5AC0eE459EBe80E7DF53F402d0a6c4d42B9. Either the string was in an alien language, either I am missing something. Can someone please clarify that point or what was the actual vanity segment in that address?

3 Likes

Yes, you will receive first your ETH and GNO and then your NODE via the regenesis. After the process is complete, you will have the exact amount of tokens you had the block before the hack!

1 Like

Thanks for your support <3

I had the same question! The deployer deployed the Token, which is 0xDa007777D86AC6d989cC9f79A73261b3fC5e0DA0 - Starting with da0 and ending with da0.

2 Likes

Wish the team best, as a community member I will be patient to get through this with you all.

1 Like

As per the recovery plan above, here are the amounts of ETH and GNO that groups 1 and 2 had a block before the hack started.

Please if you were providing liquidity, check that you are in this list!

3 Likes

Hey there!

So Quick 2 quick questions on Node Regenesis situation. I bought roughly 10K Node tokens for 0.03 Eth not realizing the hack happened at all…I bought them because I was (and did) plan on buying a dappnode unit, and wanted to be invested in the ecosystem… So my questions are:

  1. Are those purchased tokens gone / non redeemable? If so I totally get its not going to break the bank but still kind of a bummer…but I have to at least check.

  2. I bought the HOPR Special Edition Node about a week ago…and it comes with 500 NODE tokens… are those tokens still legitimate and claimable? If so which ones, the Old pre hack NODE tokens? or the newly issued post hack/regenesis NODE token?

Thank you for your time!

Hey @BlockchainBreakdown !

  1. Yes… these NODE will be abandoned. You can sell them now to try to get part of the ETH back. Regensis snapshot will be accounting for balances a block before the hack.
  2. Congrats on being a Node Runner! Welcome to the family and I hope your dappnode works smoothly. Your 500 NODE tokens that you can claim with the 4 GNO are going to be useless (pre-hack NODE), but you will receive 500 more of the “good ones” after the regenesis :fire:
1 Like

Since no issues were raised on our accounting, we have set up the 1st of DEC as the date to send back the ETH and GNOs as per the lists above :fire: :fire:

1 Like