Dear PAID Community,
The purpose of this document is to address the major questions asked by the community regarding the attack on PAID Network on March 5, 2021, in addition to clarifying the PAID v2 token launch and airdrop process. We want to thank our community and IDO partners, who have been very supportive as we work through the relaunch process.
We’d also like to thank our security partners for their help, notably Mitchall Amador at Immunefi, Anatoly Ressin and Simon Yakunin at Parsiq, Georgios Delkos and Charles Smith at CertiK, as well as the Cypherblade team. Each of these parties were instrumental in helping us navigate through this crisis.
1) What happened on March 5th, 2021?
On Friday, March 5, at 6:07:13PM UTC, an attacker exploited the PAID Network deployer contract to steal over 59 million PAID tokens and was able to sell 2,501,203 PAID tokens for 2,040.4339 ETH on Uniswap, before the PAID team stopped further selling by pulling liquidity from Uniswap. A post-mortem on the attack can be found here for review.
2) Was your smart contract hacked? Was the PAID DAPP or Ignition platform affected?
No, the smart contract code remains secure, as attested by Certik in their Updated Post-Mortem Report. Contract functionality worked as designed. The attacker exploited an old compromised private key to access the smart contract, not a vulnerability in the smart contract itself.
Neither the PAID dApp nor PAID Ignition platform were affected in any way. The Ignition platform swap contracts are created for each project and have nothing to do with the PAID token other than checking the balance of this token.
3) How do upgradable contracts work and how do owning private keys give you access to minting functions? How did this lead to the hack?
Upgradeable contracts let you improve a smart contract over time, without requiring users to switch to a new contract with every update. They are owned by an address, which has the power to change the smart contract. Whoever owns the private key to an address, effectively owns that address.
When the private key in question was compromised, the attacker gained access to the upgradeable contract, and used that functionality to create new minting functions in the PAID v1 token contract. Because the PAID total token supply is hard coded, the attacker could only mint a total of 59,471,745.571 PAID tokens, which is why the attacker first had to burn 59,471,745.571 PAID tokens.
They then executed the mint, sent the tokens to an address they controlled, and proceeded to sell the minted PAID tokens on Uniswap.
4) How was the private key leaked?
The responsible party (who is not part of the PAID core team, and whose identity will not be disclosed at this time) shared a PAID private key in a non-PAID repo owned by a 3rd party, who subsequently made this repo public. At this time, we have no reason to believe that any of these parties acted maliciously.
The PAID Network core team had no control over this repo, and was unaware that the private key in question had any ownership of existing PAID token smart contracts. It was thought that all admin rights of this private key were automatically revoked when transferred.
5) What is your plan to fix this?
We will fix the problem by launching PAID v2 contracts and minting PAID v2 tokens, effectively invalidating the attacker’s mint. PAID v1 tokens will be phased out of use when PAID v2 tokens are airdropped.
All PAID v1 token holders will receive a corresponding amount in PAID v2 tokens. We have forked the original audited PAID contract, received additional 3rd party code review, and will launch a PAID V2 token within the next 24–48 hours.
6) How will the PAID v2 tokens be airdropped? How does the distribution process work?
The PAID v2 token distribution will be done via airdrop. No user action is required to receive your PAID v2 tokens.
There will be two main airdrops. The basis of the first airdrop is a snapshot of the PAID v1 token ledger immediately before the attacker began selling PAID on Uniswap, taken at block 11979858. The airdrop will distribute PAID v2 based on the wallet balances in the snapshot.
The second airdrop will be based upon the trading activity in the hours following the hack. In the interest of community solidarity, the PAID team is compensating users who purchased PAID tokens within the 4 hours following the hack, which occurred on Friday, March 5, at 6:07:13PM UTC, using PAID v2 tokens from the PAID staking rewards pool.
The precise calculation of the number of PAID v2 tokens airdropped will be disclosed ahead of time, and will be based on the dollar value of the v1 tokens at the time of purchase.
Again, no user action is required to receive PAID v2 tokens, they will be airdropped directly to your address.
To be clear, there will be no “penalty” for anyone who sold in a panic following the attack. Their balances will be restored as reflected in the snapshot.
7) I have my PAID tokens on Gate.io. Will I be airdropped PAID v2 tokens?
We are working with the Gate.io team to airdrop PAID v2 to holders who stored their tokens on Gate.io. This airdrop will take longer to complete, as it is dependent on working with Gate.io’s team.
8) I’m staking my PAID tokens on LaunchPool and/or Unifarm. Will I be airdropped PAID V2 tokens?
We are working with the LaunchPool and Unifarm teams to airdrop PAID v2 tokens to PAID v1 token holders using these services. This airdrop will take longer to complete, as it is dependent on working with our partners.
9) When will PAID v2 be launching? Is there anything different about the token? What will happen to PAID v1 tokens?
PAID V2 is set to launch within the next 24–48 hours, barring any unforeseen delays. Although no action is required on your part, please follow our official telegram announcement channel for launch details.
There is no difference in the utility of the v2 token for the PAID dApp or Ignition. The only difference between the tokens is that the v2 token in essence erases the attacker’s theft.
PAID V1 tokens will be phased out as PAID v2 tokens become the new utility token of PAID Network & Ignition.
11) What is the PAID core team doing to ensure this never happens again?
First, we are engaging industry experts on key management best practices. Second, we will move control of the PAID smart contracts to a multisignature wallet, so that PAID Network will never again be compromised by loss of a single private key. Third, we have already engaged with industry experts to enhance our security and establish a culture of vigilance, beginning with comprehensive security and process audits.
This has been an incredible challenge for PAID Network, and our community has stuck with us through everything.
We are honored by our community’s continued support and loyalty.
PAID Network Team