An expensive lesson in cybersecurity and proposal for reimbursement of stolen funds

cure0000 · April 11, 2021, 7:31pm

TL;DR: I’m an idiot and used a compromised wallet for worker/rep payout. Attacker took funds and has 0.25% REP on account 0x6Af697B19f074d0366a186589F8053a1E32a31F4. Proposal is to reimburse my $3700 xDai to a clean, uncompromised wallet as a one time courtesy, and to burn the REP that is now in the hands of a bad actor.

Hey, everyone. So this is a really embarrassing situation:
About 4 months ago I accidentally uploaded my metamask seed phrase to github for about 10 seconds. I kept ~$150 in an account on this Metamask keyring to see if it was actually compromised, because I assumed a hacker would take that $150 to realize profits for their efforts. Months passed, and the money was left untouched, so I went ahead and assumed I was safe to use this wallet to receive my worker payments through xDai.

I made my proposal on xdai, it was approved, I went forward with calling the contract’s function to have money sent to my xdai wallet. Everything is going fine. I sign the message approving for withdrawal from xDai to Mainnet where I would then claim my worker payment. I needed to send myself gas, so I did. Transaction approved. I tried to do the transfer, but it said insufficient funds. I thought maybe there was a bug with xDai or some strange UI issue going on. I sent gas again. Gone.

I checked the etherscan for my wallet address 0x6Af697B19f074d0366a186589F8053a1E32a31F4 and realized the money was immediately being sent out from my wallet one block after it was deposited. Someone had indeed compromised my wallet when I accidentally uploaded it to github months ago. Now the question was, how can I front run this bot and get my gas sent + withdrawal in one tx? I needed a smart contract to execute these function calls simultaneously since a single EOA can only call one tx at a time on Ethereum. I messaged a friend, but they weren’t online yet.

Unfortunately, by the time I woke up this morning and checked the status of my xDai withdrawal, it said “Transferred”. This transfer was to an EOA owned by the hacker, he must have seen the failed tx’s and realized what I was trying to do. He sent me gas, executed the xDai withdrawal and then his bot immediately drained my wallet again to send it off to his.

Important to know: The attacker has 0.25% REP on xDai under account 0x6Af697B19f074d0366a186589F8053a1E32a31F4. Should we burn it?

I’m aware this is entirely my fault and I should have taken more precautions considering that I was using a compromised wallet. I explained my situation to @sky, though, and he recommended I speak with some other community members to get their thoughts on a reimbursement. I messaged @geronimo explaining the situation and he told me to take it to the community, which is what I’m doing now. I assume full responsibility for the lost funds. I only propose this this reimbursement as a one time courtesy. $3,700 is a lot of money to me and I rely on these payments to support my family.

I know the nature of crypto is that we are all wholly responsible for our own keys and money and if we mess up, that’s on us. I take no offense if this is not approved by the dxDao. Thanks for reading everyone!

snufkin · April 11, 2021, 8:02pm

I don’t think I can help you with this, but I recently saw a youtube video where someone had the same experience as you explained and a solution to retrieve the tokens that weren’t sniped yet. But that would be helpful only if you had something left there…

sky · April 11, 2021, 10:31pm

Thanks for sharing @snufkin . We were hoping to try something like that today (as the money was just sitting there) but the bot owner took a separate action to get it before we got to try.

@cure0000 was in touch with me when he realized this was the problem, but we couldn’t find any dev at the time.

I think that overall this is a very unfortunate situation. Yes, it was bad key management, but DXdao community has the ability to and should look out for its community members (if possible).

At this point, @cure0000 is out the payment that he worked for. I would be in support of DXdao re-paying @cure0000 for his contributions. If the community ends up not being in favor of this directly from DXdao, I would be in favor of community members trying to crowd-funding the loss, and spreading it out to whoever would like to contribute. If we had 20 members contribute $185 each, that would fix the problem. This would obviously be fully optional.

This is a good reminder and lesson for sharp key management. Also it’s interesting that the “attacker” now has REP in xDXdao, and DXdao is aware of this and should have a process in place to take action in a scenario like this. xDXdao should burn the REP in this compromised wallet.

Iam_kmkm · April 12, 2021, 5:38am

A donation seems unnecessary in my opinion, since @cure0000 is a productive individual receiving a good salary. We should just help him get back up on his feet.

Would it make sense for you @cure0000 to receive, as a loan from DxDAO, an amount that can support your family this month (like, I don’t know, 3000) with the promise of returning this debt in the next few months (e.g. 6 months) deducted from your future salaries (like -500/month)?

cure0000 · April 12, 2021, 4:26pm

That’s definitely an option, thanks for sharing and taking the time out of your day to respond! I really appreciate it. Hopefully we can come to a resolution soon and I will bring it to xDai. What do you think should be done with the stolen REP?

levotiate · April 12, 2021, 7:38pm

Honestly, mistakes happen and things go wrong. I believe that we as a community should look after our members and therefore the Dxdao should repay his contributions. I think the documentation and guidelines can include a section on good key management and security practises so future members can learn from this.

cure0000 · April 13, 2021, 12:16am

if anyone is interested in seeing the hacker’s wallet:

i am jealous of the smiley face in his public key

blackscale · April 18, 2021, 11:35pm

Sorry for chiming in late, but I’m new to DXdao and I’m still in the process of catching up with all the great things that are going on here.

I’m posting this here for future reference to any contributor needing speedy assistance with smart contracts and/or on-chain forensics in cases such as this one:

Feel free to ping me (blackscale) on Keybase if you need any help. Make it a private message for all the specifics, but also make sure to mention me in one of the public channel, asking for help, for transparency and to thwart any doubts. Alternatively, feel free to add any trusted member of DXdao in our private chat, as a witness. I’m a righteous white-hat, but you shouldn’t just trust my word, nor anyone’s for that matter.

clesaege · April 25, 2021, 2:55pm

Hi cure0000,

Sorry for you loss.
I don’t think the DAO should reimburse the lost funds, but I think we should slash the rep of the compromised account and give it back to you on another one.
And if it’s an emergency situation asking an advance for the next payment would also be good (is it an emergency situation or do you have some reserves?).