Summary

On 11/10/2023, 06:54:12 AM UTC, at block 4498086 on the Chia Blockchain, HashgreenSwap was exploited, with 270+ XCH (Chia coins) and 9 other CAT (Chia asset tokens) being sent to a burn address xch1gfpyysjzgfpyysjzgfpyysjzgfpyysjzgfpyysjzgfpyysjzgfpqcjkap4, leaving platform users unable to retrieve their assets staked in the protocol.

This is a document written by HashgreenSwap to fully disclose what had happened, and will happen to the HashgreenSwap community, and to the wider Chia community.

Timeline

1. 11/10/2023, 06:54 UTC (Block 4498086)

   The exploiter initiated a series of attack against the following pools, with the attack spanning blocks 4498086 and 4498090, affecting 270.540 XCH and their accompanying tokens.

   • XCH/PEPE
   • XCH/SDT
   • XCH/42
   • XCH/LKY8
   • XCH/CC
   • XCH/TICA
   • XCH/DBX
   • XCH/MZ
   • XCH/CH21

2. 11/10/2023, 08:57 UTC

   Hashgreen has noticed a significant drop in TVL on the application, and has started investigation.

   

   

3. 11/10/2023, 09:42 UTC

   Acevail from MintGarden has publicly posted about the incident.

   https://twitter.com/acevail_/status/1722912491271852252?s=20

4. 11/10/2023, 10:31 UTC

   Hashgreen has identified the issue to be a certain contract vulnerability, and has

   • Temporarily disabled the transaction engine for HashgreenSwap to prevent further user addition of liquidity.

   • Changed the visibility of open-source contracts private to lower vulnerability exposure.

     https://github.com/hashgreen/hashgreenswap-contract

   • Changed the visibility of the Cypher library to private to lower vulnerability exposure.

     https://github.com/hashgreen/cypher-chialisp

5. 11/10/2023, 10:39 UTC

   Yakuhito from TibetSwap has initiated a session with us on the technicals of the vulnerability. We are able to conclude our findings regarding this exploit in the hour-long call with Acevail, and other experts with deep understanding of Chia (please let me know if I should add you if you were on the call).

   Discord - A New Way to Chat with Friends & Communities

6. 11/10/2023, 10:53 UTC

   Hashgreen has publicly posted about the exploit.

   https://twitter.com/HashgreenLabs/status/1722930543485210771

7. 11/10/2023 Afternoon UTC

   The team has put together a list of action items (Actions) to tackle the situation.

Actions

• [x] Draining the remainder of the pools to protect and custody any funds still in the protocol. (Done as of 11/13/2023)
• [x] Inventorying the assets impacted
  • [x] A list of the whereabouts of assets transferred (Done as of 11/13/2023)
  • [x] A list of asset holders and their entitled assets (Done as of 11/20/2023)
• [x] Publishing this document to the community
  • [x] Drafting this postmortem document (Done as of 11/13/2023)
  • [x] Posting on Twitter (Done as of 11/14/2023)
  • [x] Posting on Discord (Done as of 11/14/2023)
• [ ] Figuring out a path to reimburse users of their staked assets
• [ ] Re-launching the HashgreenSwap protocol
  • [ ] A bigger round of contract review among the community developers
  • [ ] Recruit more community developers to rebuild the protocol

Impacted Assets