+$50-Million Dollars, Gone In A Flash
He was on our Discord channel. Actually trash-talking the entire community.
Having just stolen +$50-Million dollars worth of XHV, our protocol token, it was more than shocking to see.
The entire core team was working at lightning speed to patch the exploit that this hacker had found, alongside a community that was banding together to gain as much insight as possible.
This is the true story of how a small dedicated team and a tight-knit community, resolved a +$50-million hack in less than 5-days and managed to push the privacy and stablecoins forward in a big way.
But to understand why XHV was targeted, first, we must go back.
The Journey Begins
We’ve got to start with a question. Have you ever considered the following:
If you wanted to protect your crypto gains from volatility how would you do so?
A stable coin right? A simple answer to a straightforward question.
But as you may be familiar, stable coins are centralized, and are (supposedly) backed by US dollars in a centralized bank account. They’re controlled by centralized organizations, who have the ability to freeze wallets and funds if required. This is not theory, it has been done a number of times before in various capacities.
Keeping this in mind, if we were to ask the question, but include privacy in the equation, the question gets far more complex, and the answer becomes very difficult to answer.
If you wanted to protect your crypto gains from volatility, and maintain your privacy, how would you do so?
Monero, for all it’s brilliant programming, suffers from the same volatility challenge that Bitcoin, Ethereum, and other cryptocurrencies do.
And this is where I found myself in 2017, after my first initial exposure to cryptocurrency investing.
It was this question that led me to the Haven Protocol. It was this question that led me to eventually drop everything I was doing, and dive into the project with all my energy. And so, after nearly three years of hard work, seeing the hacker who threatened everything, trash-talking our community on our discord channel, I was more than stressed.
(You can still see the conversation between the hacker and one of our core team members on Discord. Simply go to the channel marked #hackers: Discord
The Attack
Accomplishing an attack of this level is no easy feat.
Code is written, tested, deployed, and patched on a regular basis. In the blockchain world, this is doubly true, as was the case with the Haven Protocol.
But as any developer can attest to, writing code is hard. There are foreseen problems that can be solved before deployment, and unforeseen problems that only emerge once your code has exposure to the ‘real world’. A community of developers is critical to the success of any project, which is especially true with a decentralized autonomous organization (DAO) project which Haven aspires to be.
While vast and strong, we made the mistake of not leveraging our community enough during our rapid development. We made the mistake of not expanding our Bug Bounty Program, and instead, like a traditional Web 2.0 company, we relied on a small core team. As such, we missed a small, but critical vulnerability.
The hacker, who was now taunting the entire community in our Discord channel, figured this out, and used it to his advantage. He was good. Very good.
By leveraging a weakness in the code, the hacker was able to modify the code base, changing the miner reward. Drastically increasing the block reward meant that it was possible to mint far more than should have been due, which is something the hacker took advantage of.
As an aside, while transactions on Haven are private and encrypted, block rewards paid to miners are not. Thus the drastic increase in reward value for this specific miner was clearly obvious.
Furthermore, the hacker figured out that there was another angle of attack – modifying the codebase to allow for the counterfeit creation of tokens. This was also done, as we uncovered over the next five days.
Once all was said and done, the combined value of the attack was worth over +$50-million in tokens, and threatened the entire Haven Protocol project.
The Response
If you’re wondering what it’s like to experience a situation like this, it’s like staring over a cliff and seeing only darkness. Your stomach sinks as everything around you can be gone in an instant. But the feeling is mixed with pride and confidence – for which I’ll explain in a moment.
We have to remember that, as a project moving towards becoming a DAO, the entire core has come together to work on an idea. The idea – private, stable, cryptocurrency – is something that everyone believes in. The team has come from all corners of the globe, many walks of life, and has foregone opportunities in business, with careers, and with family to work on this project together.
To see everyone’s hard work threatened in an instant was a massive reality check.
But there was a tremendous sense of pride and confidence at the same time.
Because every single person on the core team was dialed into solving the problem, some were pulling 20-hour shifts to patch code, and correct mistakes. Not a single team member wavered, gave up, or showed signs of quitting. Ever.
And that gave everyone confidence to quickly respond, admit mistakes, and take action to secure the future of the project.
The core team worked tirelessly to develop a patch that could be deployed within hours. The community held strong together, extracting as much information as possible from the hacker. Exchange partners like KuCoin, TradeOgre, and Bittrex worked closely with our team to lock addresses and restrict our token movements.
These difficult decisions were presented to and led by the community. Together the community decided that it was best for the outcome of the project, to even roll back the blockchain – and reinstate the stolen funds.
Haven on the Horizon
Developing a project from ground zero, with no outside funding, to have it all threatened in an instant, is an extremely difficult situation to face. Understanding that some of the challenges were due to your own oversight, is even more challenging. It is how a project bounces back (if they do), and how they adjust that determines the outcome in the future.
And our lessons?
- We have instituted a number of new security measures, including developing an entirely new validation process
- we have opened up a $100,000 Bug Bounty Program
- we have contracted Cypher Stack for the audit of both the Mint and Burn Validation maths and the new code
- and we are leveraging our community of experts to help with areas like penetration testing and more.
While that future is still being written, we believe that recovering from a +$50-million hack has made our code, community, and core purpose far stronger.
A decentralized, stable and private cryptocurrency, we believe, is extremely important for our financial future. A Haven for those who believe in financial sovereignty.
Epilogue
Why fight so hard for a protocol? For an idea? For financial privacy?
Because we believe privacy should be everyone’s sovereign individual right.
Regardless of whether you seek privacy in how you decide to live your life, who you decide to spend it with, or what you decide to spend it on, privacy is something that should be in your control.
One of the challenging aspects of cryptocurrency is that while it does offer a world of opportunity for those who are willing to dive in, most of what happens on the blockchain is traceable. Traceable to a very accurate degree.
This threatens everyone’s ability to maintain financial sovereignty.
And while cryptocurrencies like Monero offer users a fantastic way to protect their transactions from prying eyes, until the Haven Protocol emerged, none offered security in stablecoin or stable-asset form.
This is what Haven aims to provide. Financial privacy in stablecoin form.
I believed this was, and still is, an idea worth fighting for.
Bio:
AHawk discovered Haven Protocol in 2018 and has been a community leader for the project since 2019. As a crypto investor and enthusiast, he believes the concept of a Monero-based private stablecoin ecosystem will truly revolutionize how people protect their financial privacy and interact with crypto in the years ahead. You can learn more about the Haven Protocol and the community by going here: https://havenprotocol.org/