Wrapped LEO White Paper: Investigative Report, LP Refunds and WLEO Relaunch

over 3 years ago (Edited)

The attack on Wrapped LEO (WLEO) was a black swan event that had a rippling impact throughout the LeoFinance community and our project. The investigation into that attack has lasted for the past 10 days and we have discovered a great deal about how the attack was carried out and who was responsible for it.

This post contains the white paper we wrote about this event and the most important details and conclusions drawn from it. We hope that this gives everyone some much needed closure on this event and also serves as a cornerstone piece to how we continue to develop LeoFinance in the present and future. Our aim is to build a robust project for the years to come and an event like this is a harsh lesson but one that will have a lasting impact on how we buidl our vision for the future.

If you'd prefer a PDF version, click here to download the white paper.

I. The Mission and Creation of Wrapped LEO

II. The Unfolding of Events Leading Up to, During and After the Hack

III. Investigation of How the Attack Took Place

IV. Investigation of the Attacker

V. Liquidity Providers and the Redistribution of Saved ETH + LEO

VI. The Future: Exploring Models for a More Secure WLEO

Abstract

This paper is a documentation of the entire Wrapped LEO attack. We start out by discussing the overall mission and goal of Wrapped LEO (WLEO), why it was launched in the first place and why it is an important aspect of LeoFinance.

From there, we move on to a record of the actual events as they unfolded. Including timestamps of when things happened and how the response played out in real-time. We also discuss the actions that were taken post-attack and how the community and team stepped up to work on fixing what was broken and pick up the pieces to move on from this black swan event.

In section IV, we conduct a thorough investigation of the attacker. We dig in to the ETH address that carried out the attack and link it to other attacks on various projects and individuals across the Ethereum blockchain in order to get answers about who carried this out.

We then discuss the conclusions of our investigation into the hack itself. Over the course of several days, more than a dozen people helped in the investigation of how exactly WLEO was attacked and how the attacker was able to mint WLEO to their address.

After exploring everything we could related to the hack. We now need to move on from what happened and keep pushing forward as a project and community. We take the insights learned from this event and discuss the relaunch of WLEO with a revamped tokenomic structure that is vastly more secure, robust and thoroughly tested against events such as this.

This event has caused a radical shift in the entire LeoFinance project. The impacts are not only felt on the WLEO aspect of our project, but will ripple through to every single branch of LeoFinance and how we conduct ourselves in the present and future. Creating a more robust project and finding ways to utilize this event as a positive driver for growth.

I. The Mission and Creation of Wrapped LEO

[1]

Wrapped LEO (WLEO) was launched as a means to gain traction and liquidity for the LeoFinance project in the broader crypto industry. Our ultimate ambition is to drive user growth and connect with other blockchains, communities and ecosystems in order to expand the reach and scale of LeoFinance.

The native LEO token is built on the Hive-Engine second layer solution for the Hive blockchain. This token has a lot of unique features that leverage the Hive blockchain for fast, feeless and scalable transactions. One thing that this native token lacks is accessibility outside of Hive. Wrapping this token and creating an ERC20 equivalent (WLEO) allowed us to expand and connect with exchanges like Uniswap and coin aggregators/trackers like Coingecko, CoinMarketCap and Blockfolio.

As a social media, blogging and engagement-based platform on a blockchain, reaching outside of Hive (our core blockchain) is a necessary step. Up until about 2 months ago, this was always an idea for the future, but something that we had yet to find a way to achieve.

When WHIVE launched, we immediately realized that this idea was not just achieveable, but right in front of us. We quickly began work on desiging the architecture to support WLEO and prepare ourselves for a moment to step outside of Hive and bring in new users and community members to the LeoFinance ecosystem.

WLEO is an important part of the LeoFinance project, but it isn't the entire LeoFinance project. We run a number of other apps, branches and community-oriented projects that all fall under the LeoFinance umbrella. The temporary downtime for WLEO has been a set back, but it is far from a killing blow to our project. This much has been seen by the rallying support of our community and also the continuous developments that have been released to our core project: the leofinance.io UI.

WLEO-ETH pool on Uniswap prior to the attack

Throughout the rest of this paper, you'll see the insights that were gained through the initial launch of WLEO including the perspective that was granted to us by the WLEO attack in which an outside party - which we have determined to not be connected to Hive in any way - was able to mint an unlimited amount of WLEO and attack the liquidity pool.

With this said, I hope that you realize the importance of WLEO. While WLEO isn't the entirety of our project, we will see the return of WLEO to the LeoFinance ecosystem as it is a key driver of growth and connectivity to the rest of the crypto space. The key difference, however, is that it will be housed under a new tokenmoic structure which coincides with major changes to the server and wallet infrastructures surrounding WLEO.

By pulling from exchange models, other Ethereum-based projects and the combined brainpower of multiple devs, we've designed a system that is more robust, secure and proactive against attacks such as this one and other potential threats.

II. The Unfolding of Events Leading Up to, During and After the Hack

Leading up to October 11th, 2020 there was no suspicious activity indicating a security breach. The first indication of an attack was the false minting of 10,000 WLEO at 3:08 AM on October 11th.

After investigating the addresses involved, we've found that this particular address was the only one receiving minted WLEO during the attack. It then used the "fake" WLEO that was minted to swap into the Uniswap pool in exchange for ETH.

Times used from here forward are in CST (central standard time):

Oct 11 3:08 A.M. The first minting of false WLEO:

https://etherscan.io/tx/0x9c0abb76e5924623def3f000c3df6da9b100c90be279f63b24b22c842444f66e

Shortly after that, another minting TX occured for 7,590.692 WLEO:

https://etherscan.io/tx/0x0e8621db8bd6c42d559e24274c02c837964041890dcc357031b495160d5c05c8

Oct 11 3:12 A.M. First Swap Into the Pool With Minted WLEO:

The attacker minted 2 smaller amounts of WLEO and swapped into the pool.

Oct 11 3:15 A.M. The attack continues as WLEO is falsely minted in this account and then subsequently swapped into the Uniswap pool for ETH:

To better read the above image:

The Green "In" TXs represent WLEO getting minted to this address
The Orange "Out" TXs represent WLEO being swapped into the Uniswap pool in exchange for ETH

The above routine of minting WLEO to this address and then swapping into the Uniswap pool continues for the next 4 hours. Instead of leaving all those details here in screenshots, an export of these TXs have been referenced at the end of this paper.

Oct 11 3:47 A.M. The first mention of the attack is by LeoFinance community member @decentropia as they report on the strange WLEO pool activity in Discord:

Oct 11 4:32 A.M. Discussions amongst community members continue as they try and dissect what is happening in real-time:

The same community member, @decentropia sees the first of the stolen ETH sent to Binance. As mentioned here, this same address has been utilized in prior attacks to steal ETH and then send to Binance, yet Binance has never taken action to report/block this address. More information on this will be in the "Investigation of the Attacker" section of this paper.

Oct 11 7:30 A.M. Many LPs Began Withdrawing Liquidity and Securing their WLEO as LEO on the Hive blockchain.

Throughout this entire attack, LEO on Hive was completely safe. The attacker only had access to printing WLEO and didn't have access to anything else. This means that all aspects of the project on the Hive side were safe and many users encouraged each other to take their WLEO out of the pool and unwrap it into the LEO native asset.

Discussions on Discord continued throughout this entire period as users continually found and shared information to figure out what exactly was happening. Meanwhile, around 7:30 A.M we began work on shutting the WLEO oracle and contract down to prevent further damage.

Oct 11 8:17 A.M. The App Was Stopped Which Prevented Any Wraps/Unwraps and Mints from the App Itself

$100,000 USD in liquidity still remained in the pool at this time. The hacker still had WLEOs minted in their address, so we began work on securing any liquidity that remained in the pool.

Oct 11 9:07 A.M. We minted WLEO in order to swap into the pool and drain the remaining ETH. At this moment, it was either us or the hacker who would drain the 112.29801 ETH that remained in the pool.

These TXs were posted in Discord for everyone to verify. 112.29801 ETH was then held until we could figure out a plan to distribute it back to LPs who had not yet had the chance to remove liquidity from the pool. More info on this redistribution can be found in the section titled "Liquidity Providers and the Redistribution of Saved ETH + LEO".

Oct 11 4:00 P.M. After shutting down the contract, securing the remaining ETH and LEO and finally halting the WLEO-ETH pool to prevent further swaps/adds/removals, the LeoFinance team compiled an official statement about the situation.

It was a long day of figuring out exactly what happened. Once we secured the remaining ETH/LEO, we went to work on securing the Hive side. Again, we found that nothing was impacted on Hive. Just the keys to the WLEO contract on Ethereum which allowed the minting of WLEO.

The past 10 days have been spent investigating the situation and finding a method to reimburse impacted LPs. ~112 ETH was saved that day along with ~255,000 LEO on Hive.

Since the investigation spanned ~10 days in total, we decided to report on our findings and conclusions rather than give timestamps throughout the investigative process itself. The above was intended to give insight on how the day of the attack unfolded including how the attacker stole ETH from the pool and most importantly, how the community and team responded to the attack.

In the next two sections, we'll explain the most relevant information we found and our conclusions from the attack.

III. Investigation of How the Attack Took Place

As mentioned previously, this attack was carried out by an attacker who managed to get a hold of the private key that governed the wLEO minting contract.

Due to the nature of wLEO's infrastructure, the oracle app requires continuous access to the key of the address that launched the wLEO contract in the first place. This key is then used each time a wrap transaction is made.

i.e. when User A wraps 10 LEO into WLEO, the WLEO contract issues a mint tx for 10 WLEO to User A's ETH address. This mint function requires a signature from the ETH wallet that launched wLEO in order to be sent.

This model has some inherent security flaws. Namely, if an attacker gains access to the server then they also gain access to the app that mints wLEO. With this access, they can also extract the private key that governs wLEO minting - allowing an attacker to mint unlimited wLEO and drain the Uniswap wLEO-ETH pool.

Once we figured out the how of the attack (access to the private key governing the wLEO contract), we moved on to the where (where did this attacker extract the key from).

There are three ways in which the attacker could've gained access to this private key:

From the wLEO server
From the local machine that setup wLEO
From the software/browser that created the wallet

Investigation of the WLEO Server:

We initially carried out an investigation of the server logs. Checking the IP addresses of who had access to the server. Upon an initial inspection on the day of the attack, we couldn't find any unusual accesss logs in the server.

Wrapped Contract developer @fbslo also graciously helped us investigate the database of the Wrapped LEO oracle. Inspecting the database, he found that the wrapped transactions didn't originate from transfers to the oracle (the database didn't indicate false requests to wrap LEO).

An initial thought about the attack was that someone was able to send transactions to the oracle account (@wrapped-leo) without actually holding LEO. This was tried by several accounts either erroneously or with the explicit purpose of actually attacking WLEO and printing fake WLEO since the launch.

After crossing that potential attack off the list, it left us with the need to do a deeper investigation on the server logs and database to see what else we could find and if there was any unusual activity.

A few amazing people stepped up to help with the investigation of the server. We wanted to determine where exactly this attack on the keys originated. @themarkymark (long-time Hive witness and operator of several Hive-based projects) and another dev (who has worked on other LEO projects but didn't want their name listed for privacy) investigated the server logs thoroughly and couldn't find anything unusual. A group of Hive devs and witnesses also gathered to discuss the ways in which these keys could have been stolen and if it was from the server oracle itself.

A major shoutout goes to @themarkymark, @foxon, @deathwing, @rishi556 and @cadawg for helping in this and other aspects of the investigation progress. All of their witnesses have been linked at the end of this paper and I highly recommend giving them your vote. It's amazing to be a part of a community with so many passionate and talented people who don't run from crisis but step up to be involved in the resolution of it.

Investigations into the WLEO server itself lasted for several days after the attack. In the end, we concluded that there were no unusual activities within the server itself. Also considering the nature of the attack (as investigated through ETH tx records of the actual minting transactions) we found that the minting TXs likely didn't even originate from the server. This means that the keys were used elsewhere to mint WLEO. The liklihood of a server attack is slim to none.

From the local machine that setup wLEO

After determining that the WLEO server was still secure, we moved on to investigating the local machine that actually setup the Wrapped LEO contract.

Before we even started scanning this machine, we determined this attack vector to be unlikely. This particular machine is kept offline and was only brought online for specific one-off transactions/setups that were considered sensative.

At the time of the attack, there were also other keys/records on this machine that the attacker could have exploited but didn't. This isn't a disqualifying factor, but it does decrease the liklihood of a local machine breach.

After scanning the machine and investigating entry points, we ultimately eliminated this as the location of the attack.

From the software/browser that created the wallet

This was one of the main weak points for wLEO. The way that WLEO was setup requires that a hot wallet control the minting keys for the WLEO contract.

Hot wallets are infamously known for poor security, but wLEO requires that new tokens are minted on the Ethereum blockchain in order to be "exchanged" for LEO on the Hive blockchain. While there are other models (which is what we'll explore in "The Future: Exploring Models for a More Secure WLEO" section of this paper), this particular "hot wallet model" is the one that was chosen for the initial launch of WLEO.

After we concluded that a server breach was unlikely, this became our #1 suspect. We also scanned the local machine for good measure, but it was pretty clear to us that this was the most likely attack point for the hack on the WLEO minting keys.

To further add to this conclusion for the attack, we also ran an in-depth investigation on the ETH address that carried out this attack. In the next section of this paper, we investigate the "who" behind this attack in more detail.

This particular address is linked to a wide array of phishing scams all across the Ethereum blockchain. Known for wallet attacks and software breaches, they've carried out multi-million dollar heists on various applications and wallets utilizing the Ethereum blockchain.

Our Conclusion on the "How" & "Where"

We found ample evidence pointing to the conclusion that it was in fact the keys to the WLEO minting contract that were stolen.

From there, we investigated the various attack points for those keys. After crossing the most likely target - the WLEO server - off the list, we scanned the local machine and determined that to be an unlikely location of the attack.

We then marked a particular timeline between the initiation of the WLEO contract, the extraction of private keys and the setup of the WLEO server as the most likely point of attack. After our research into the attacker, we found that they have a history for software/wallet attacks and concluded that this is how they stole the keys to the WLEO minting address. Through the browser itself and the wallet software that extracted the keys.

There are some positives and negatives to this conclusion. Ultimately, finding out that the attack was on the minting keys and that they were stolen some time between extracting the keys and initiating the WLEO contract gives us a clear path to setting up a far more secure and robust WLEO contract in the future.

Wrapped LEO was undoubtedly one of the key growth drivers of LeoFinance. As we said, it wasn't everything but it did have a signficant impact and will have a long-term impact in the future. Getting WLEO back online is and should be a priority for our project. The key is to get it online and ensure that these attack vectors we've outlined are secured.

While I've left the details of this process out and just shared the conclusions here, this entire process of investigating the different vectors of attack for WLEO has given us and the people helping to build a new and far better version of WLEO an incredible level of insight. We'll dive into those details in the section titled "The Future: Exploring Models for a More Secure WLEO".

IV. Investigation of the Attacker

In the days that followed the attack, we dug into the addresses of the hacker. We found some interesting links connecting this party to much larger attacks across Ethereum ranging from the tens of thousands to multi-million dollar heists.

From this information, we concluded a few important points:

This attacker does not stem from Hive
This attacker likely had little-to-no knowledge about how LeoFinance actually works
This attacker has a track record of phishing attacks on keys, which helped us deduct how the attack was carried out

As mentioned previously, this attack was carried out by an attacker who managed to get a hold of the private key that governed the wLEO minting contract.

Screenshots of the false mints of WLEO were shared in section II. The following address was the recipient of falsely minted WLEO. Using that WLEO, this address then swapped into the pool to steal the ETH liquidity.

https://etherscan.io/address/0x8c9a02c89c96940e377052a9be0c7326f89a2495

Throughout the attack, this address sent multiple transactions containing the stolen ETH to the following addresses:

All of these addresses subsequently sent the ETH they received to the following address:

https://etherscan.io/address/0xa305fab8bda7e1638235b054889b3217441dd645

After the ETH was received by this address, it then sent it to Binance in multiple transactions (designating it to multiple Binance accounts in order to bypass KYC/AML procedures):

Here's where the investigation into this attacker took an interesting turn. The above address has been linked to a multitude of scams and major hacks on the Ethereum network.

After investigating this main wallet address and also diving deeper into the addresses linked to it, we found multiple reddit threads, official project reports and even a few Binance tickets about this particular attacker.

This main address has been reported to Binance countless times. We reported the addresses involved in the WLEO attack several times on the day of the attack and the days that followed. No helpful responses were received from Binance and they clearly haven't taken action against this address despite the multitude of reports that can be found on Google and Binance support requests about similar attacks over the past 2 years.

As this report is being written, this address has continued to send thousands of other ETH (presumably stolen in some way) to Binance with the latest tx sent just 45 minutes ago.

There are quite a lot of TX records here to dig through and dozens of ETH addresses involved. From all of these records and some other reports of attacks similar to the one on WLEO, we've learned that this attacker has particular ties to phishing scams and software wallet hacks which helped in our ultimate conclusion on this event and how it occured.

V. Liquidity Providers and the Redistribution of Saved ETH + LEO

The people that were most impacted by this attack are the liquidity providers. These are users who took a major leap of faith and decided to wrap LEO, combine it with ETH and provide valuable liquidity to our Uniswap pool.

Prior to the hack, our Uniswap pool reached ~$430,000 USD in just about 1 month of operation. This is an incredible feat, especially for a project that only had a market cap of ~$1.5 million USD at the time.

If you go back through the unfolding of events, you'll see that many LeoFinance users and LPs caught on to this attack early. Fortunately, many of these users were able to contact other users and a large amount of liquidity was secured out of the pool early on.

Unfortunately, this attack occured in the middle of the night for many people. While many were able to get out of the pool in time, many others weren't. These LPs that got stuck in the pool until the end saw their entire liquidity balance hit 0. This means that up until today, they lost 100% of their ETH and 100% of their WLEO in the attack.

If you remember, the LeoFinance team was able to step in during the attack and rescue ~110 ETH from the pool. Along with this, we also saved 255,000 LEO from the Wrapped-LEO oracle.

Prior to the attack, LeoFinance's official team liquidity was ~91 ETH and 129,000 WLEO. The LEO team liquidity will not be claimed out of the saved ETH and LEO. Instead, 100% of this amount will go to impacted LPs.

Remember the 300,000 LEO that was set aside by the LEO Bounty fund in order to incentivize liquidity providers? There was only 1 payment before the attack which leaves 253,403.490 LEO remaining from that total.

We've decided to include this in the LP refund pool.

The past week has been spent reviewing the balances of liquidity providers. There are a lot of unique situtations - with some LPs getting out of the pool in time, some not, some unwrapping, some swapping, etc. etc.

Each case required manual review in order to determine a fair amount to refund based on the initial liquidity provided and if/how much a user was able to remove during the attack.

In the end, we've determined that refunding ~110 ETH + ~754,000 LEO to impacted LPs will result in near 0 losses for everyone who provided liquidity and wasn't able to remove any from the pool. Some users may see a varying number, but most users will be made whole.

The ETH has been sourced from what we saved from the pool + the denying of refund from the Leo team liquidity. The LEO comes from 3 sources:

Remaining bounty fund: ~253,403 LEO
Saved LEO from the oracle: ~255,000 LEO
Removed from the team stake: ~252,000 LEO

What does this mean for the LEO supply?

This means that the LEO supply will increase by roughly 4.3% (the dev stake minting of 252,000 LEO) outside of the number that would have existed in circulation after the 90 day bounty had completed.

All of this stake would have been released in circulation anyways. No "extra" LEO is being minted. What we're doing here is simply targeting that LEO toward LPs who were negatively impacted by this event.

As many have put it, this type of hack is a black swan event. It's a make or break time for the LeoFinance project and community. The community has already shown a great deal of resilience and a strong resolve to rebuild WLEO so long as we develop a system that cannot be attacked in this way and also safeguards liquidity against other attacks in the future.

Many other projects have had to deal with major attacks such as this. These events often turn into a project fork in which the community is divided and the tokens are broken in half. Some forks go more smoothly than others. In the end, the goal is simply to reverse some of the damages and create a positive path forward to keep building the shared vision.

This event is LeoFinance's black swan. We've experienced something that could easily kill any other project. Stop them from achieving their vision dead in their tracks. Instead, the LeoFinance and Hive community stepped up on the day of the attack. Our resolve actually strengthened and we all bonded over a shared loss.

After discussing all of this with several community members and team members, it seems that this is the best path forward. A way in which LPs can be made whole and a way in which LeoFinance can thrive moving forward as we carry this extremely vital lesson and battle scar into the next iteration of WLEO and also adopt better practices to apply to current and future branches of the LeoFinance project.

On the date that this paper is published, the LP refund distributions have already started rolling out. If you were impacted by the pool attack, you will find ETH in your LP address and LEO in your HiveLinked address in the hours that follow.

If you are a member of this group, we just want to say thank you for being a part of this community project and also for being patient with these finalized distribution numbers.

I know many of you have been anxiously waiting to get more info about if there will be a distribution and for how much it would be. It took several days to find the concrete numbers and then also make a decision on how the distributions would occur. We hope that you find our decision for redistribution fair for everyone involved and if you have any questions related to this or anything else, don't hesitate to jump in our Discord server, leave a comment on an @leofinance post or ping us on Twitter. Thank you.

VI. The Future: Exploring Models for a More Secure WLEO

Moving forward from this attack is vital for the LeoFinance community and our project. Many of our community members have already asked if and when a new and highly secured version of WLEO would launch. As outlined earlier in this paper, the addition of WLEO to our project brings a wide array of benefits:

Liquidity
Trading volume
Pegging our token price to ETH
Accessibility to other Ethereum-based projects
Easy on/offramp for our recent LeoInfra integrations
Decentralized exchange listings and centralized exchange listings

Throughout the process of investigating this attack on the first version of WLEO, we've identified the core weaknesses of Wrapped LEO. This has allowed us to build a model that not only solves the particular issue raised by this attack, but one that also improves our overall security on all fronts.

This new model is one that provides an incredible level of security. Especially in thwarting off attacks on any keys involved in the Wrapped LEO economy.

The attack on Wrapped LEO was an attack on the minting keys and thus, the attacker was able to mint an unlimited amount of WLEO and drain our Uniswap liquidity pool. In order to prevent this attack in the future, a limited token supply model combined cold storage has been designed.

Through discussions with various people - both in the Hive community and in the Ethereum/DeFi space - we managed to build a few models that represent robust versions of WLEO that pull from several other projects and exchange models.

The finer details of this model - including specific numbers, tokenomics and implementations - will be released in a long-form @leofinance post about 1 week after this paper is published. This post will give more details on the model and also the specific date that Wrapped LEO will relaunch.

For the purposes of this paper, we'll give an overview of the ideas behind the model and how we ultimately arrived at the various mechanics that are being implemented in order to ensure that an attack like the one we experienced is rendered impossible. More importantly, we'll also share the other implementations that we're adding to enhance the security on other aspects of Wrapped LEO that weren't involved in this attack but ultimately create a landscape for WLEO that has depth of security on all fronts.

Limited Supply of WLEO Tokens

In this new model, we're implementing a limited supply of WLEO. The attack on WLEO was possible because a hot wallet governed the ability to mint unilimited WLEOs. This was necessary under the old model of WLEO, but our new model will implement a different oracle system for wrapping LEO and unwrapping WLEO.

With a limited supply of tokens, we're removing the ability to mint new WLEO. At the start of WLEO, we're going to issue all of the tokens so that the ability to mint any new tokens is completely impossible. This protects us from having the key to mint tokens stolen. It also means that that key can also be utilized via cold wallet rather than hot wallet (since the key doesn't need to be used to sign minting TXs).

Since all of the WLEO tokens will be minted at the start, we need a secure method of storing them. These tokens will be stored in 3 locations:

A portion of these tokens will be timelocked using a smart contract developed by the Trustswap team. This means that a portion of WLEO will be locked for a set amount of time (i.e. 12-24 months) before reaching circulation. These tokens will represent future supply of LEO (since the native LEO supply is increasing and more WLEO will be needed in the future)
Another portion of these tokens (which represent the current supply of LEO) will be held in a cold wallet
The final portion of WLEO will be held in a hot wallet. This hot wallet replaces the need to mint new WLEOs, as users will send and receive WLEOs by interacting with this wallet. Since this wallet is also the least secure form of storage, it will hold the least amount of WLEOs (just enough to service wraps/unwraps)

Cold Storage

[2]

In the WLEO storage methods above, cold and hot storage are mentioned. Again, the issue with the first version of WLEO is that the entire project hinged on 1 hot wallet. This is an obvious security flaw as having an attacker gain access to this wallet causes a collapse of the entire project.

With our new model for WLEO, we're limiting the damage that can be caused if an attacker were to gain access to this hot wallet. While we're drastically improving the security of this hot wallet key, it cannot be guaranteed since it is - as the name suggests - a hot wallet. This means that it is in constant use every day as the transactions to send WLEO to users who wrap LEO tokens needs to be signed with this wallet key.

The model we've designed is based on the way that major exchanges manage user funds. The hot wallet stores just enough to service active transactions each day while the cold wallet stores the remaining crypto. The cold wallet is managed offline and doesn't need to be used for daily transactions. Instead, the cold wallet is used to sign transactions only when the hot wallet runs low on funds and can no longer service the wrapping of tokens.

If you're familar with cold wallets and offline transfer procedures, then you'll know the high degree of security that comes with cold storage. Had the previous WLEO minting key been held by a cold wallet, this attack would not have been possible. The issue - as mentioned above - is that the old model relied on the ability to issue WLEO to users whenever they wrapped LEO tokens.

With our new approach, the hot wallet holds just enough funds to service those wrap transactions which means that if an attacker were to gain access, the damage they can cause is limited. No wallet exists that can mint new WLEO (since all WLEO is minted at the start). The remaining WLEO that isn't needed for day-to-day transactions is held by the cold wallet which is always kept offline.

New Geyser LP Incentive Approach

Before the attack on WLEO, many community members are aware that we were in the middle of creating our own Geyser platform to distribute LP incentives after the initial 90 day bounty period. This approach would allow us to sustainably reward LPs with a high APR for providing valuable liquidity to the WLEO - ETH Uniswap pool and also the other pools that will launch in the future.

A Geyser approach allows us to distribute WLEO/LEO incentives to users who provide liquidity. There are some key differences to this approach as compared to our LP incentive bounty that we ran for the first WLEO pool.

With this new approach, users earn additional WLEO/LEO incentives based on the length of time in which they are a liquidity provider. What this means is that an LP who's in the pool for 120 days will be rewarded with a greater APR than an LP who's in the pool for 30 days. Both of these providers will earn the same base APR, but that APR is then scaled up using a multiplier effect that is based on the length of time in which the provider has left their liquidity in the pool.

The longer you're an LP, the higher your rewards. This creates a relative distribution of LP incentives and also enhances the liquidity providing aspect of LeoFinance.

More details about this system will be released in a post prior to the launch of WLEO. Our new Geyser approach is modeled after a popular system in the DeFi space which utilizes LP token staking. While we modeled this system after other DeFi projects, we've created an extremely unique model of distribution which doesn't require LP token staking and also connects with the HiveLink system we created for the initial WLEO 90 day bounty.

In other words, this system is a radically new approach to LP rewards and it's going to add a fascinating aspect to long-term rewards for LEO stakeholders.

Providing liquidity is a risky endeavor but it also should bring the highest degree of rewards. Liquidity is essential for a project token like LEO/WLEO and this aspect of our project cannot go understated. We are lucky to have multiple devs working on different aspects of LeoFinance simultaneously as it allows us to continue building the LeoFinance UI while we fixed WLEO AND while another dev finishes the development of our new Geyser economy.

As always, there's a lot happening with LeoFinance all at once. Instead of overwhelming you with all of the details on these different aspects of the project that will be launched soon, we'll break them down in several posts that will be released over the coming two weeks before the relaunch of WLEO.

WLEO Relaunch Date

The key to relaunching WLEO is to ensure security on all fronts. We need to not only render attacks like the one we experienced impossible but also predict future attack vectors and create layers of security to safeguard against them.

Limiting the supply of WLEO along with integrating a cold/hot wallet management system are the pillars in our strategy to create a secure WLEO that can be utilized now and in the future. There are other benefits to this management system in terms of growth and exchange listings which wouldn't accept our old model of WLEO that had an infinite supply. We'll talk about these benefits and the other security measures that we're implementing in upcoming posts as we prepare for the relaunch of WLEO.

Our target launch date for Wrapped LEO is November 10th.

As the design is completed, the architecture is built and the system is battle-tested by multiple developers, we'll release more details and a hard launch date.

References

[1] leopedia.io/explainer - LeoFinance Landing Page displaying a diagram about Wrapped LEO

[2] Cold/Hot wallet diagram example: https://medium.com/tokensoft/scalable-wallet-architectures-a-simple-hot-cold-setup-for-exchanges-7ed6bf336c69

[3] Etherscan.io - Ethereum blockchain explorer. Used extensively to track LP addresses, WLEO balances and dig up tx records related to the attacking address

Users and Devs Who Helped With This Investigation

On the day of the attack, we received an overwhelming amount of support from the Hive community. Many users and devs stepped up to help with the process of digging through all of this information and it was no easy task. If you recognize these witnesses and developers, we highly recommend voting their Hive witnesses. They didn't ask to be named here but they definitely deserve the recognition and your vote of confidence.

An honorable mention also goes out to a few devs and community members who didn't want to be named here for privacy but also helped extensively in the process. Thank you!

LeoFinance is a blockchain-based social media community for Crypto & Finance content creators. Our tokenized app allows users and creators to engage and share content on the blockchain while earning cryptocurrency rewards.