Exploit Results in Bankroll Pillaging... Investigation Begins
3246.650 HIVE (~$975 USD) was stolen from the site bankroll via an exploit that was able to take advantage of a weakness present in the withdrawal security check function yesterday by account @kimanhz10 which seemed to be created the same day as the hack. I've got a sneaky suspicion I know who is behind all of this ***cough*** wehmoen ***/cough*** and while their IP address seems to point towards the attack coming from Asia it's more likely it came from Europe with the Asian IP address being a proxy or VPN. The account seems to have been created for the sole purpsoe of exploiting the Hive-Roller.com site with a bit of rolls on a competitor site being done first in order to give the illusion the account wasn't set up strictly to perform the hack.. Granted this is speculation.
The GEOIP data I was able to pull from their login:
Ho Chi Minh City, SG, VN - 171.253.141.137
And the email they used to register their account:
anh1111z1z@gmail.com
Almost certain the information above is either faked or the IP of a VPN so I'm not sure it'll help in the investigation although I'd figure it sould be included incase it is of some value to someone and that username, email or IP address is something that a community member may know about.
I've got a fair amount of information recovered from the site logs that will be used in my investigation and bug fixing here over the next few days. In the mean time the site will remain operational but withdrawals will be disabled to prevent any further loss of funds. My appology for having to disable withdrawals but other than outright shut down of the Hive-Roller.com site I didn't know how to prevent any further use of the expliot if the black hat decided to come back.
They drained nearly all the HIVE from the sites account save for around ~200 HIVE or so.. Which strikes me as slightly odd considering they went through the trouble of grabbing all of it besides that small amount.. Granted 200 HIVE is like $60 USD which is enough for a hell of a mcdonalds order.
No other Tokens or Currencies enabled on site seem effected by the hack although has a precaution all withdrawals across the board have been disabled until the vulnerability has been patched and tested to prevent such things from happening again. All and all while quite a piss off to myself and the users of the site I'm just glad the amount that was taken isn't something beyond my scope of ability to cover. More info on repayment plans moving forwards are outlined in the passage below.
Repayment Plan Enabled
A power down of my own account has been started to cover the losses and withdrawals on the Hive-Roller.com site have been disabled until the bug can be recreated on a developer instance of the site and patched to prevent future incidents like this from happening in the future. While overall sort of a crappy situation I'm quite happy that it happened in alpha testing and while the bankroll was small enough for me to cover the loses. It will take roughly 7 weeks from today in order for my powerdowns to cover the outstanding deficit in the amount of HIVE present in the bankroll on site compared to the amount of actual HIVE present in the Hive-Roller.com account.
While as a site operator this is the sort of thing you have nightmares about in all honesty I'm glad that this exploit was brought to my attention now while the site was still in alpha testing instead of later down the road where the bankroll could have potentially been 100x what it was at the time of the hack. Even massive well established sites like PrimeDice.com on Bitcoin network get hacked from time to time and while certainly not an attempt of justification of all of this by any means it's just a fact of life that things like this happen. An eye opener, a somewhat expensive lesson but ultimately not anything that can't be recovered from in the long run.
I'll be powering down my account as well as converting most of the HBD received from the Hive.Loans development proposal into HIVE in order to expedite the bankroll repayment process. By powerdown alone it will take 7.6 weeks to repay everything so hopefully by also converting over the HBD payments to HIVE this duration can be cut down by a few weeks in order to resume normal site functionality and get everything back to normal.
Transparency is Key With Everything Crypto
This announcement, although absolutely fucking embarrassing to write, comes from my own personal goal to strive for transparency in regards to my projects and in the pursuit of not hiding important information regarding things that people should know. I'm sure some site operators would have gone out of their way in an attempt to cover the hack of their site up in order to "save face" but in all honesty I'd rather lose a bit of face and be forthcoming with information such as this rather than be a skeeze bag and try to cover up the situation.
I'm thoroughly embarrassed that my code wasn't strong enough to prevent this and while in the short term users may be out a bit of HIVE liquidity over the next 8 weeks everything will be repaid to the site bankroll and thus the users who've been supplying it. As stated above I'm not nearly as devastated as I could of been given my ability to cover the loses out of pocket. While still not enthralled over all of this and how it unfolded at the end of the day I'm grateful that this happened at a time where damages weren't to such an extent that people would actually be out money.
None of the users or investors in the site has lost anything capital wise at the end of the day, other than myself to the tune of what needs to be repaid to the site, but what it boils down to is that the news of this hack had to be made public regardless of the embarrassment, consequential shame of being hacked or potential damage to my standing or reputation within the community as a developer. All news, good or otherwise, should be shared with the community if any developer plans to operate her within our community as it's a good litmus test of a persons morality.
Site Security Moving Forward
Rewriting the Hive-Roller.com back-end and migrating it to a better data handling method was on my list of things to do right after getting Hive.Loans up and running. Unfortunately the exploit came before I managed to do this and thus for putting it off I'll be paying back the discrepancy between site bankroll and account balance. While a hot wallet / cold wallet implementation was planned for the total back-end rewrite it looks like it'll have to be included in the patch of this exploit as another layer of protection against this happening again in the future.
The @hive-roller.safe account will be used as the cold wallet going forward to minimize the amount of tokens available to the site itself to process withdrawal requests. This way on the off chance another exploit similar to this one is found in the future the damages to the bankroll will be minimized to the funds on the @hive-roller.com account hot wallet.
It's been a long running joke on the Hive-Roller.com site that "the dev is shit" and this exploit being perhaps a testament to that statement doesn't deter me from continuing forward and improving my code and project security moving forward. Ultimately it boils down to inadequate testing on my end and for that I apologize to the community for not properly testing my code against things like the exploit that was used to carry out the withdrawal duplication hack.
This is why we alpha test and moving forward the memory of this event will serve as an expensive albeit integral lesson on being 110% sure that live code accessible by the public has been tested to prevent unintended functionality. I've got a lot of work to do for the foreseeable future both on Hive-Roller.com as well as the other projects I'm working on so I'll pivot my focus over to coding here and let everyone else get back to their routine. Thank you for reading, voting and supporting.. <3
Vote KLYE for Witness, Every Single Vote Helps, Thanks for the Support!
Need to get in Contact with KLYE?
Join the Official #KLYE Discord Server Today!
Looking for an Affordable, Secure & Reliable Server Host for Your Witness Server or Other Web Related Projects? Check out Privex.io!