PAID Network Attack Postmortem, March 7, 2021
Letter From Kyle Chassé
Dear PAID community,
First of all I would like to thank everyone for their unwavering support while we investigated the attack that happened on Friday, March 5th, at 20:00 UTC+2. An attacker exploited the PAID Network deployer contract to steal over 59 million PAID tokens.
The attacker used a compromised private key to the original contract deployer to leverage the upgrade function of the smart contract. The attacker then proceeded to ‘upgrade’ to a new smart contract which had the ability to burn and re-mint tokens.
With the upgraded smart contract, the attacker then minted 59,471,745.571 PAID tokens which they then proceeded to sell. 2,501,203 $PAID tokens on Uniswap were sold for a total of 2,040.4339 ETH before the attack was discovered at 20:17 UTC+2. Upon discovery the PAID team pulled liquidity from Uniswap, minimizing damage. We then asked all PAID token holders to cease all transactions in order to mitigate further risk. We called in industry experts (Cipherblade, Parsiq, Acheron, CertiK and Immunefi) to further safeguard users and specify next steps.
To prevent any further damage by the attacker, PAID Network is relaunching its token to wipe the attacker from the ledger of token holders, moving control of the new token contract to a multisig, and securing comprehensive security and process audits to ensure we are never again vulnerable to this kind of attack or others.
Timeline of Events on March 5, 2021
10:28 UTC+2 — Attacker loads PAID Network deployer with funds.
19:37 UTC+2 — Attacker takes control of PAID token contract to mint tokens to himself.
20:17 UTC+2- PAID Network team notices unusual transactions as attacker sells large amounts of PAID on Uniswap.
20:45 UTC+2 — PAID Network initiates war room to understand the attack.
21:01 UTC+2 — PAID Network pulls liquidity from Uniswap.
21:16 UTC+2 — PAID Team starts calling in support partners (Cipherblade, Parsiq, Acheron, CertiK, Immunefi, etc).
21:20 UTC+2 — PAID Network team announces hack to community and warns users to not transact.
Technical Analysis of the Attack
The root cause of the attack was a combination of two vulnerabilities: a leaked private key and a failure in key management processes. Our code was not compromised, and we maintain faith in our CertiK audit.
The first failure was a private key leak. We have identified the cause of the private key leak, and have mitigated it. Because we have not fully resolved the situation with the responsible party we are not disclosing details on how the private key was leaked at this time. As far as we can tell, it was not a malicious leak, and we have no reason to think that it was.
The second failure was a key management failure. The compromised private key provided access to the PAID token contract, and was used to modify the token contract to allow the attacker to maliciously burn and then re-mint PAID tokens. The burning was required in order to mint tokens as the max supply had already been reached. The attacker proceeded to sell the re-minted PAID tokens on Uniswap for ETH, until liquidity on the Uniswap pair was pulled by the PAID Network team.
Ownership of the contract was not fully transferred, while we had reason to believe the transfer was total and complete to the fullest extent. We were mistaken, and assume full responsibility for our lack of thorough verification.
As a result, the attacker proceeded to use the compromised private key to do the following:
- Attacker loads contract deployer address with ETH. Tx: https://etherscan.io/tx/0x28494ebcd854735e4d84f55890f0a92376d1af17553d998b2ee391a25dbc18c7
- Attacker calls ‘transferOwnership’ function on PAID token contract from PAID deployer address. Tx: https://etherscan.io/tx/0x733dd279b3d24f3415f3850b8eceafc651c1998163dcd0352b9e83c46e2b33d9
- Attacker deploys a new contract. Tx: https://etherscan.io/tx/0xfe6eb5800741e986d6375d8e3f94eefd00cc64ba8896389142fdb6162a34d9b8
- Attackers burns PAID tokens on the staking rewards address. Tx: https://etherscan.io/tx/0x3a483dd881d98541ebbd51e9a64daa700546bae9c2b33a30c2192f9981334b9b
- Attacker mints 59,471,745.571 tokens, which he sends to his address. Tx: https://etherscan.io/tx/0x4bb10927ea7afc2336033574b74ebd6f73ef35ac0db1bb96229627c9d77555a0
- Attacker approves trading on Uniswap for his address. Tx: https://etherscan.io/tx/0x1a23506c2a53e9811ebe7ab9d78ba1ab9e02766d2440ff152437a3176a314a38
- Attacker proceeds to sell 2,501,203 $PAID tokens on Uniswap for a total of 2,040.4339 ETH before being stopped by the PAID Network team’s efforts to pull Uniswap liquidity. All funds (PAID and ETH) remain at the attacker’s address, found here: https://etherscan.io/address/0x18738290af1aaf96f0acfa945c9c31ab21cd65be
What’s next for PAID Network
We were fortunate that rapid action by the team minimized the damage. Ultimately, this hack was the result of several security failures. We at PAID Network take full responsibility for these failures, and have resolved the security vulnerabilities to make sure these failures can never happen again. To effect that, we are:
Relaunching the token contract to wipe out the attacker tokens. We will be relaunching the $PAID token contract to invalidate the attackers tokens. The attacker’s $PAID will be removed from token supply. v2 $PAID tokens will be airdropped to holders of the v1 token, the details of which are being carefully considered to ensure the fairest outcome.
Moving contract control to a multisig. All future contracts will be controlled by a multisig, controlled by members of the PAID Network C-level team. Never again will PAID Network be vulnerable to the compromise of a single private key, and all contract changes will have to be cleared by the multisig key holders.
Comprehensive security and process audits. Going forward we will commission security process audits and seek out expertise on information technology security best practices. All private keys will be heavily secured if in use, or destroyed if not.
The team is working to resolve the situation in the most fair and effective way. Through this process, we’ve enhanced security processes and will continue to power through as we always have for our community.
We would like to reiterate that our team is fully dedicated to the long term success of this project. We continue to maintain our public profiles as members of the PAID Network team, because we have full faith and integrity in the future of our project.
I have dedicated the last nine years of my life to crypto. I firmly stand by our project. My team and I will continue our full commitment to push forward our shared vision of PAID Network as a disruptive and transformational force in the blockchain industry, and the world at large. We humbly ask you, the community, to maintain faith in our ability to realize our vision as we overcome this challenge. With our renewed emphasis on security and best practices, I am confident we will succeed.
Last but not least, please know we will continue to update our community with new information and developments as the situation develops.
Sincerely,
Kyle Chassé