A Brief Review on the 12/08 Spiderman Hacking Incident

A brief summary.

12/08, 8:35pm UTC+8, itsspiderman hacked both eCurve and PIZZA Lend. The hacker attacked eCurve and minted infinite LP tokens called TRIPOOL. Beside using the TRIPOOL tokens to withdraw all liquidity in target eCurve pools, the hacker also collateralized them in PIZZA Lend, and borrowed all tokens with value. More details of the hack could be found in here and here. The ETH address the hacker uses is here.

We received the alert and immediately verified that a hack incident has just happened. The first reaction was to contact both the eCurve team and the producing block producers. So basically 3 things:

1. Confirm the hack and find out the basic cause of it.
2. Confirm the hacker accounts, especially the ones that store the stolen tokens.
3. Contact with the top 21 BPs, host a zoom call that the BPs can join (so you can explain to them what happens, provide them with on-chain evidences and how you want them to help).

The classic way of dealing with hacking incidents since 2018 was to ask all 21 BPs to blacklist the target hacker accounts. If all 21 BPs ban the target accounts, the transactions from the target accounts will all be rejected. And the problem is it’s almost impossible to ask all 21 BPs to keep the black list.

So the new approach is to freeze the target accounts. In this case, the target accounts will be permanently restricted until another proposal was approved to unfreeze them.

We took both approaches but made the second one our main direction, because as mentioned above, it’s almost impossible to get all 21 BPs to add certain accounts to a blacklist. From 9pm to 00:30, it took three and half hours to actually draft the proposal that could limit the target accounts’ actions. In order to make it happens, it requires 15/21 approvals from the producing BPs. All BPs were being extremely helpful, we spent one more hour to explain and review the ongoing situation and the proposal itself. At 01:47 am, eventually, we got the approvals from 15 block producers (check the image below for a detailed list).

However, the hacker created 1.37 millions EOS accounts over the past 4 and half hours and sent 98% of the stolen tokens to these accounts. In average each account got around $6~7.

Also, as a revenge for the PIZZA team to call the BPs, the hacker airdropped many tokens to random accounts. So basically here was a “you call the cop and the robbers kill several hostage as a warning” situation.

well, some accounts were not so random, “gaotiancheng ” for example, this account was created right before his huge airdrop, with suspicious initial EOS transaction and suspicious KYC info in both Huobi and Alipay. However, in the next day we managed to collect the list of the 1.37 millions hacker accounts, we didn’t include the “gaotiancheng” because 100% confirmed.

The general timeline is:

• 12/08, 8 pm (UTC + 8), hack happened.
• 12/09, 1 am, first proposal was approved; hacker already transfer tokens to 1.37 million new created accounts
• 12/09, morning, PIZZA visited Slowmist and contacted Token Pocket to freeze TPT ($2 millions stolen) token contract. Both companies helped to track hacker info.
• 12/09, evening, PIZZA collected all 1.37 millions accounts and started to verify if they are 100% target hacker accounts.
• 12/10, verified the accounts and make the verify process readable on github. Started to write a proposal that could restrict the 1.37 millions target hacker accounts.
• 12/11, continued to verify the target accounts, tested the proposal. Contact with BPs and provided them with review methods. Set target action time to 12/12 night.
• 12/11 Midnight, the hacker asked for $3 millions ransom and threat to send all stolen funds to normal users if BPs attempt to restrict his accounts.
• 12/12, 2 am, fight or flight. Evaluated the cost of resource the hacker had to take to transfer all tokens. Decided to bring the plan forward. Set target action time to 12/12, 10 am. Contacted all 21 BPs.
• 12/12, 10:30 am, proposal voting started.
• 12/12, noon, hacker saw the proposal and threaten to send all tokens to normal accounts.
• 12/12. afternoon, negotiations. Between PIZZA and hack, and also among the BPs.
• 12/12, 4 pm, 15 approvals received. Hacker agree with the $500K ransom.

12/23, all services on PIZZA Lend Resumed. PIZZA started to work with ENF to design a recovering framework to provide a more convenient and standardized process to resolve similar incidents in the future.

After this hack, PIZZA will only open a very limited list of collaterals. The truth is that we have too many collateral choices that really qualifies, and this is obviously not an excuse to set a lower standard.

There is also a patch that introduces a lending cap to the PIZZA platform, it will filter out most of the unexpected extreme price movements or infinite inflated tokens like what’s in this eCurve hack.

In the end, there will also be a new ENF working group: Recover+. PIZZA team will work with the EOS network foundation to design a crisis management framework to help EOS projects coping with hacking incidents. The phase one work is expected to be done by the end of April.

Thanks everyone who help in this incident, without your kindly support PIZZA might have just been crashed and never be able to continue contribute like it was. We can’t thank you more enough, it’s only hard work and contribution to the community can repay the debts we owe you. Let’s together go for a better future.