Abstraction
On July 30th, a transaction was detected where FIS was bridged from StaFi Chain to Ethereum. By tracking transactions performed from this address, we have discovered associated StaFi addresses had registered as members of the governance system and applied for 3 TIPS from the Treasury via the governance process. These TIPS resulted in a total of 2,636,440 FIS tokens being allocated to them. The tipped FIS was subsequently been bridged to Ethereum and traded on Uniswap. At present, there are 1,310,600 ($370k) remaining FIS in the said address. The proposals submitted by this address bears no relevance to the protocol, with a sole purpose of obtaining FIS from the treasury without genuine contribution. Regrettably, all 3 TIPS applications were granted.
In response to this incident, we have suspended member registrations within the governance model, and no further TIPS will be granted from the treasury. An extensive review has been carried out by the team, and we can confirm that no vulnerabilities have been found on rToken and FIS Contracts.
Specifics
1.Governance Candidacy Registration:
Address 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV and 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G registered as candidates at 2023-07-13 04:42:06 (UTC) by calling the ‘submit_candidacy’ function in the election model.
Tx1 at 2023-07-13 04:42:06 (UTC) Subscan | Aggregate Substrate ecological network high-precision Web3 explorer
Tx2 at 2023-07-13 06:22:12 (UTC)
2.Voting:
The ‘vote’ function was invoked on the election model, resulting in several transactions.
Tx1 at 2023-07-13 05:24:42 (UTC)
Tx2 at 2023-07-13 05:47:36 (UTC)
Tx3 2023-07-13 06:23:36 (UTC)
Tx4 at 2023-07-13 06:24:00 (UTC)
3.Member election:
The election of the governance process is triggered once every 28 days. Addresses 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV and 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G were elected as members at height 14918400 (2023-07-13 06:37:18 (+UTC))
4.TIP Application:
As a member of the governance system, the address 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G was entitled to invoke the ‘tip_new’ function in the treasury model. As such, It executed 3 transactions to request tips to be transferred from the treasury to the address 346o2VZL3WNhWrtZGh94pctcr8dtDVdyuHwHfwWEJqSQTAVj
Tx1 at 2023-07-19 13:47:42 (+UTC)
Tx2 at 2023-07-21 04:54:54 (+UTC)
Tx3 at 2023-07-28 20:20:30 (+UTC)
5.TIP Withdrawal:
The address 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV then called the ‘close_tip function’ in the treasury, executing 3 transaction, to withdraw all tips to the address 346o2VZL3WNhWrtZGh94pctcr8dtDVdyuHwHfwWEJqSQTAVj. A total of 2,636,638 FIS were withdrawn as seen in the attached transactions below.
Tx1 at 2023-07-20 13:52:42 (+UTC)
Tx2 at 2023-07-22 05:19:42 (+UTC)
Tx3 at 2023-07-29 20:23:36 (+UTC)
6.The individuals controlling the address gradually bridged FIS from StaFi Chain to Ethereum. Currently, there are 1,310,600 FIS in the account 0x908fd382f5fdfad8a521d73e18106e40e51554df.
7.Membership removal:
Address 33AQo28a2JstGdTUsn6Q76wz6pLD6o9aEU1yCk7SxBtJg2NV and 32D6onBSF5iu5L4RGxfxGuQEQ7emvsmUEdTTj9xqtDFMi27G executed transactions resulting in the removal of its membership from the governance.
Tx1 at 2023-07-30 00:17:54 (+UTC)
Tx2 at 2023-07-30 00:18:48 (+UTC)
8.Contact attempts:
Efforts are currently being made to establish communication with the owner of the address. Here are the transactions indicating our attempts:
Tx1
https://etherscan.io/tx/0xd90a584da302b5603bcdf5c299c2d5ca3c63d3fd3c957941b9a4aceac1e8a21c
Tx2
https://etherscan.io/tx/0xa53f690f4b9c7b9ea7157566e4e8c0d6155be4d353aa80216c9f6bcd4ffa2e60
Immediate Remedial Actions
Upon discovering these transaction, the StaFi Development Team has promptly revoked the memberships of both addresses from the governance platform. This immediate action prevents any further instances of FIS acquisition through tipping, ensuring no further risks of similar instances from occurring.
The next governance election is scheduled to be triggered in 10 days. In preparation, our team has updated StaFi’s runtime and disabled relative models from governance. This implies that no further transactions will be executed until the governance system is fully reopened to the community.
Subsequently, the development team is actively reaching out to the alleged offenders and seeking support from the security team. More information will be shared as it becomes available.
Security
A thorough security review made by our team confirms that there are no security vulnerabilities or issues detected within rToken and FIS contracts.
Reasons
What is the governance model and how did this happen?
The governance model was launched alongside other chain models in 2020 and built with Substrate which has the authority to determine the treasury’s usage with grants. If elected as a member of the governance model, one gains the right to apply from tips from the treasury. StaFi’s initial roadmap set during its genesis implied a gradual opening of governance processes to the community, hence, parameters were set with requirements (10,000 FIS) that deterred proposals until its official launch.
With any member being allowed to apply for tips permissionlessly, the thief executed this vulnerability by registering as a member. At the particular epoch of applying, there were no other members, allowing the thief to be elected unopposed.
Unfortunately, the election epoch typically lasting 28 days, went unnoticed by the community and even the development team due to the prevailing belief that governance was initially closed.
Potential Impact
As the associated address may be unable to trade FIS on CEXs, Uniswap ETH/FIS pool may be the primary pool used to trade FIS. However, due to its limited liquidity, there could be an impact on its liquidity providers. We encourage Liquidity Providers to monitor the FIS pool closely and withdraw their liquidity if deemed necessary.
Following Actions
Continue to connect
Our development team will continuously attempt to communicate with the thief and work closely with the security team to recover the stolen FIS. Simultaneously, we will monitor the associated addresses to track the movement of tokens.
StaFi Governance
In the upcoming months, the governance model will be gradually reopened to the community. StaFi DAO has made significant strides in launching its governance model, and it will be fully opened in due time.
Enhance asset security monitoring
We will enhance our monitoring of DAO-related asset security, proactively identifying and addressing potential vulnerabilities and security issues.
Building as always
Despite numerous exploits in the current bear market, we continue to prioritize security. Thanks to robust development, no vulnerabilities have been discovered in StaFi in the last three years. This is testament to the enhanced security that robust development practices bring to the StaFi ecosystem.
Visit our forum for more information on our future plans.