Post-mortem Report FIS Taken from the Treasury via the Governance Process

Abstraction

On July 30th, a transaction was detected where FIS was bridged from StaFi Chain to Ethereum. By tracking transactions performed from this address, we have discovered associated StaFi addresses had registered as members of the governance system and applied for 3 TIPS from the Treasury via the governance process. These TIPS resulted in a total of 2,636,440 FIS tokens being allocated to them. The tipped FIS was subsequently been bridged to Ethereum and traded on Uniswap. At present, there are 1,310,600 ($370k) remaining FIS in the said address. The proposals submitted by this address bears no relevance to the protocol, with a sole purpose of obtaining FIS from the treasury without genuine contribution. Regrettably, all 3 TIPS applications were granted.

In response to this incident, we have suspended member registrations within the governance model, and no further TIPS will be granted from the treasury. An extensive review has been carried out by the team, and we can confirm that no vulnerabilities have been found on rToken and FIS Contracts.

Specifics

1.Governance Candidacy Registration:

Address 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV and 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G registered as candidates at 2023-07-13 04:42:06 (UTC) by calling the ‘submit_candidacy’ function in the election model.

Tx1 at 2023-07-13 04:42:06 (UTC) Subscan | Aggregate Substrate ecological network high-precision Web3 explorer

Tx2 at 2023-07-13 06:22:12 (UTC)

2.Voting:

The ‘vote’ function was invoked on the election model, resulting in several transactions.

Tx1 at 2023-07-13 05:24:42 (UTC)

Tx2 at 2023-07-13 05:47:36 (UTC)

Tx3 2023-07-13 06:23:36 (UTC)

Tx4 at 2023-07-13 06:24:00 (UTC)

3.Member election:

The election of the governance process is triggered once every 28 days. Addresses 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV and 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G were elected as members at height 14918400 (2023-07-13 06:37:18 (+UTC))

4.TIP Application:
As a member of the governance system, the address 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G was entitled to invoke the ‘tip_new’ function in the treasury model. As such, It executed 3 transactions to request tips to be transferred from the treasury to the address 346o2VZL3WNhWrtZGh94pctcr8dtDVdyuHwHfwWEJqSQTAVj

Tx1 at 2023-07-19 13:47:42 (+UTC)

Tx2 at 2023-07-21 04:54:54 (+UTC)

Tx3 at 2023-07-28 20:20:30 (+UTC)

5.TIP Withdrawal:

The address 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV then called the ‘close_tip function’ in the treasury, executing 3 transaction, to withdraw all tips to the address 346o2VZL3WNhWrtZGh94pctcr8dtDVdyuHwHfwWEJqSQTAVj. A total of 2,636,638 FIS were withdrawn as seen in the attached transactions below.

Tx1 at 2023-07-20 13:52:42 (+UTC)

Tx2 at 2023-07-22 05:19:42 (+UTC)

Tx3 at 2023-07-29 20:23:36 (+UTC)

6.The individuals controlling the address gradually bridged FIS from StaFi Chain to Ethereum. Currently, there are 1,310,600 FIS in the account 0x908fd382f5fdfad8a521d73e18106e40e51554df.

7.Membership removal:
Address 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV and 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G executed transactions resulting in the removal of its membership from the governance.

Tx1 at 2023-07-30 00:17:54 (+UTC)

Tx2 at 2023-07-30 00:18:48 (+UTC)

8.Contact attempts:

Efforts are currently being made to establish communication with the owner of the address. Here are the transactions indicating our attempts:

Tx1

https://etherscan.io/tx/0xd90a584da302b5603bcdf5c299c2d5ca3c63d3fd3c957941b9a4aceac1e8a21c

Tx2

https://etherscan.io/tx/0xa53f690f4b9c7b9ea7157566e4e8c0d6155be4d353aa80216c9f6bcd4ffa2e60

Immediate Remedial Actions

Upon discovering these transaction, the StaFi Development Team has promptly revoked the memberships of both addresses from the governance platform. This immediate action prevents any further instances of FIS acquisition through tipping, ensuring no further risks of similar instances from occurring.

The next governance election is scheduled to be triggered in 10 days. In preparation, our team has updated StaFi’s runtime and disabled relative models from governance. This implies that no further transactions will be executed until the governance system is fully reopened to the community.

Subsequently, the development team is actively reaching out to the alleged offenders and seeking support from the security team. More information will be shared as it becomes available.

Security

A thorough security review made by our team confirms that there are no security vulnerabilities or issues detected within rToken and FIS contracts.

Reasons

What is the governance model and how did this happen?

The governance model was launched alongside other chain models in 2020 and built with Substrate which has the authority to determine the treasury’s usage with grants. If elected as a member of the governance model, one gains the right to apply from tips from the treasury. StaFi’s initial roadmap set during its genesis implied a gradual opening of governance processes to the community, hence, parameters were set with requirements (10,000 FIS) that deterred proposals until its official launch.

With any member being allowed to apply for tips permissionlessly, the thief executed this vulnerability by registering as a member. At the particular epoch of applying, there were no other members, allowing the thief to be elected unopposed.

Unfortunately, the election epoch typically lasting 28 days, went unnoticed by the community and even the development team due to the prevailing belief that governance was initially closed.

Potential Impact

As the associated address may be unable to trade FIS on CEXs, Uniswap ETH/FIS pool may be the primary pool used to trade FIS. However, due to its limited liquidity, there could be an impact on its liquidity providers. We encourage Liquidity Providers to monitor the FIS pool closely and withdraw their liquidity if deemed necessary.

Following Actions

Continue to connect

Our development team will continuously attempt to communicate with the thief and work closely with the security team to recover the stolen FIS. Simultaneously, we will monitor the associated addresses to track the movement of tokens.

StaFi Governance

In the upcoming months, the governance model will be gradually reopened to the community. StaFi DAO has made significant strides in launching its governance model, and it will be fully opened in due time.

Enhance asset security monitoring

We will enhance our monitoring of DAO-related asset security, proactively identifying and addressing potential vulnerabilities and security issues.

Building as always

Despite numerous exploits in the current bear market, we continue to prioritize security. Thanks to robust development, no vulnerabilities have been discovered in StaFi in the last three years. This is testament to the enhanced security that robust development practices bring to the StaFi ecosystem.

Visit our forum for more information on our future plans.

After connection to address owners, we know

  1. They claim that they are an anonymous builder team and supporter of the StaFi. The proposals submitted for Treasury Tips were mainly used for help StaFi audit and marketing.
  2. There was an issue of member election in the governance model found by the anonymous team, the FIS Tips were to cover the audit cost, we agree that tips as a bug bounty.
  3. The remaining FIS for marketing proposal will be returned to the Treasure via an ERC20 address 0x5fD0eBdFe0b70E70487FC0BebA82131F3FE8C65F , controlled by the StaFi Team. Once the FIS got received, it will be bridged back to the treasury address.

Update:

The remaining fund has been returned https://etherscan.io/tx/0xc9ab19c34c884abc871d13baa812dbb6ec81f2dbe4e28800a8e3d7788fb8d499

1 Like

Yes, but they still took over 300000 dollars,Is the cost too high.

Thank you @Liam for the transparent communication surrounding this issue. Appreciate it, but unfortunate that the transactions have not been discovered earlier to prevent the withdrawal of treasury funds.

I don’t believe the hackers’ claim that they use the tips to help Stafi with audits and marketing. The regular way would have been to transparently submit a governance proposal for the community to discuss.

Update:

The returned fund are all bridged back to the treasury address, see transaction below:

Yes, they claimed it was, and that’s the only term they asked for if we want the remaining back and I talked to them they should suppose to raise a proposal via on-chian, however, it did not work, lessoned learned from the it.

As we now gradually stepping to the open of the governance, we will see a more decentralized StaFi network, community members have the right to determine the usage of the treasure, simple , transparent and democratic.

Vote system has been integration according to the recent change of the FIS tokenomic, let’s see.

1 Like

Imo it is a case for law enforcement, as it’s blatant theft, whatever else they claim. There are precedences of hackers exploiting a vulnerability and then claiming to have used the protocol as intended. Law enforcement disagrees as can be seen here for instance: