10/4 Post Mortem
Today, there was an unexpected compromise to StakeSteak security which resulted in the loss of 80,636 FTM + 81,351 USDC, resulting from a private key which was scraped from one of our repositories on Github that had been there for over 5 months. This was an inexcusable error, and you can find further details of the exploit at the end of this article.
We don’t even know how to start writing this since we’re still shaken to our cores, but would like to assure our users we’re working hard on creating a better future for everyone. We will take full responsibility for this exploit and use it to create stronger architecture and processes and turn Steak into a better protocol.
Although the mistake was made 5 months ago, we cannot excuse the fact that we allowed such a fatal mistake slip through the cracks. Leaving the deployer’s private key in the config file is a rookie mistake, and while I was a rookie when I first started STEAK, We still had 5 months to identify the error and take the necessary steps to secure our contracts. This we failed to do, and as a result has cost users thousands of dollars. In the future, for those who believe in Xam and the team, this mistake serves as a learning experience to fortify our security practices and prevent an exploit from happening again.
Moving forward, we are planning on issuing a new token that will be airdropped to STEAK holders and LPs before the exploit. We’ve already been wrestling with the idea of a rebrand prior to the exploit because of our move away from “staking STEAK” to more practical and useful products. With the STEAK contracts compromised, this makes the decision easier to make a rebrand. However, we want to get community approval before making a brand change. More details on this later in the article, but this paragraph is context for the compensation plan.
Compensation Plan:
1. A snapshot will be taken prior to the exploit (block 18274226) and we are accounting for all STEAK token holders, xSTEAK, STEAK-FTM LPs, STEAK-fUSD, STEAK-iFUSD, and STEAK-FTM deposited in vaults (Spooky, Reaper, Grim, Beefy)
2. Addresses included in the snapshot will be converted to the new token proportional to the balance of STEAK tokens (with more information to come later).
3. LPs will be compensated at a better rate because of the impermanent loss suffered from the exploit.
Going back to the rebrand, we wanted to go beyond a brand related to staking. As we continue to develop the new version of StableSwap and other projects(shh still in the works), we wanted to give our protocol a more professional look and name since we are here for the long run, but we also noticed that people really enjoy the Steak name.
The new name of the project would be called Singularity because the project sucks up liquidity like a blackhole.
So for this matter, we will put this decision up for a community vote to decide where Steak branding should go. This vote will be put up in our discord 2 hours after this article is released.
There is 2 possibilities:
- Rename StakeSteak to Steak StableSwap and with a new token called Singularity.
- Rename StakeSteak to Singularity Swap with the token named Singularity
At the end of the day making a new token called Steak could be a problematic situation for FTM scan readers and users. So we are completely changing it no matter what, but! Peggy will continue to be the mascot of our project since we know people love it!
All of this said, we want to give a shout out to the Scream Team and the Reaper Team for all the help they have been providing to us and we can’t thank them enough for it.
From the bottom of our hearts we are truly truly sorry.
Exploit Details:
Here are the addresses of the exploiters:
https://ftmscan.com/address/0x4a77b00ac0fae3984596cf6a9bf4f32a2071e2b3 (Moved funds to Ethereum Mainnet)
https://ftmscan.com/address/0x8603d14b5ca0f197d739b95f9dee0f0d6ba5b8a4
The exploiters were able to gain access to the STEAK deployer account due to the private keys being visible on the initial commit 5/19 of the steak public contracts on github.
The first exploiter burned 140,823 STEAK tokens from the LP. The max STEAK supply of 5 mil was preminted, but because of this burn, they were able to mint 140,823 STEAK from the compromised deployer account to the exploiters account. These STEAK tokens were then used to drain the LP pool. They came out with 80,636 FTM.
The second exploiter was then able to mint 30,000 more STEAK tokens. They also took out the 18,386 fUSD-USDC LP, 9,719 USDC, and 387 FTM from STEAK reserves. In total this exploiter took 81,351 USDC in value.
Contracts Affected:
xSTEAK: 0xb632c5d42BD4a44a617608Ad1c7d38f597E22E3C Owner Changed (no exploit)
iFUSD: 0x9fC071cE771c7B27b7d9A57C32c0a84c18200F8a Owner Changed (no exploit)
SteakHouseV1: 0x59cC5f5F9309448Fe4a7Bd2dB8eB2DaC0F8fCEA7 Owner Changed(no exploit)
fUSD/USDC LP: 0xa0828ee559110b041dedbf10ae0cf42274251de1 Owner Changed(treasury address is changed) Fees to liquidity providers has not changed only fees collected by protocol.