TL;DR: I’m an idiot and used a compromised wallet for worker/rep payout. Attacker took funds and has 0.25% REP on account 0x6Af697B19f074d0366a186589F8053a1E32a31F4. Proposal is to reimburse my $3700 xDai to a clean, uncompromised wallet as a one time courtesy, and to burn the REP that is now in the hands of a bad actor.
Hey, everyone. So this is a really embarrassing situation:
About 4 months ago I accidentally uploaded my metamask seed phrase to github for about 10 seconds. I kept ~$150 in an account on this Metamask keyring to see if it was actually compromised, because I assumed a hacker would take that $150 to realize profits for their efforts. Months passed, and the money was left untouched, so I went ahead and assumed I was safe to use this wallet to receive my worker payments through xDai.
I made my proposal on xdai, it was approved, I went forward with calling the contract’s function to have money sent to my xdai wallet. Everything is going fine. I sign the message approving for withdrawal from xDai to Mainnet where I would then claim my worker payment. I needed to send myself gas, so I did. Transaction approved. I tried to do the transfer, but it said insufficient funds. I thought maybe there was a bug with xDai or some strange UI issue going on. I sent gas again. Gone.
I checked the etherscan for my wallet address 0x6Af697B19f074d0366a186589F8053a1E32a31F4 and realized the money was immediately being sent out from my wallet one block after it was deposited. Someone had indeed compromised my wallet when I accidentally uploaded it to github months ago. Now the question was, how can I front run this bot and get my gas sent + withdrawal in one tx? I needed a smart contract to execute these function calls simultaneously since a single EOA can only call one tx at a time on Ethereum. I messaged a friend, but they weren’t online yet.
Unfortunately, by the time I woke up this morning and checked the status of my xDai withdrawal, it said “Transferred”. This transfer was to an EOA owned by the hacker, he must have seen the failed tx’s and realized what I was trying to do. He sent me gas, executed the xDai withdrawal and then his bot immediately drained my wallet again to send it off to his.
Important to know: The attacker has 0.25% REP on xDai under account 0x6Af697B19f074d0366a186589F8053a1E32a31F4. Should we burn it?
I’m aware this is entirely my fault and I should have taken more precautions considering that I was using a compromised wallet. I explained my situation to @sky, though, and he recommended I speak with some other community members to get their thoughts on a reimbursement. I messaged @geronimo explaining the situation and he told me to take it to the community, which is what I’m doing now. I assume full responsibility for the lost funds. I only propose this this reimbursement as a one time courtesy. $3,700 is a lot of money to me and I rely on these payments to support my family.
I know the nature of crypto is that we are all wholly responsible for our own keys and money and if we mess up, that’s on us. I take no offense if this is not approved by the dxDao. Thanks for reading everyone!