Update on sILV Exploit and Discord Security Incident
We want to share an update on Illuvium’s Discord security incident that occurred on 31 December of 2021 and the sILV exploit announced on 3 January 2022. The following information is what we know as of today and we will share more details by updating this article in the near future as our investigations and analysis continue.
Update 31 January UTC:
As mentioned previously, we will be reimbursing those who lost their funds in the Discord scam that occurred 31st December 2021 PT. All affected users need to complete this form to claim their compensation: https://forms.gle/5nfJELpDeK6QCPAE6
Compensation will be made after the submitted details are crosschecked with our analysis. Reimbursement of tokens will be airdropped directly back to the affected account.
On the 31st of December 2021 PT, Illuvium’s official Discord channel was compromised. The attackers were able to successfully gain access to a core contributor’s Discord account, even through 2-factor authentication, through an elaborate social engineering attack. Through their account, the attackers were able to announce a scam by connecting a rogue Discord webhook in the #jobs channel impersonating an Illuvium bot announcing a surprise New Year NFT stealth mint. The attackers directed users to a fraudulent website that purported to be Illuvium’s NFT platform, and users who authorized their wallets had their funds siphoned away by the attackers.
A total of $150K in funds were stolen from approximately 41 wallets. We have reason to believe that some of these wallets may be the attackers’. We recommend that all users who have interacted with the smart contract revoke access to the site immediately.
Once we became aware of the attackers’ actions, we immediately locked down and banned the compromised accounts, revoked access to the webhook and deleted the scammers’ messages. We then posted alerts pinging @everyone in our Discord #announcement channel as well as warnings on our socials. Our incident response team secured and revoked access of the compromised account from further accessing Illuvium’s internal systems.
This attack led to significant changes in our Discord server to increase security including but not limited to:
- Pruning over 50K members, both inactive users and identified bad actors
- Removed the ability for new users and bots joining the community to see our users in the server, so they cannot instantly direct message them with scams
- Reduced the number of people who can tag @everyone and @ users on our server to the superadmins.
- Removed permissions from all users to generate webhooks except for superadmins.
- Revised all user and role permissions in the server, making it easier to manage and spot rogue permissions.
Additionally, a compulsory entry point in the Discord server was added. Users entering the server must review our rules as well as an important warning regarding common scams on Discord and how to avoid them.
Our next steps to make the community whole
As the attack occurred due to a core contributor’s security breach, Illuvium believes making our community whole again is the right thing to do. We will be returning the USDT equivalent stolen funds to affected community members once we have completed a thorough analysis of the attack.
We have engaged Chainalysis to work out the balances that need to be reimbursed to each wallet. We are also in touch with Kucoin about the incident as the attacker has an account on their exchange.
We will be reimbursing those who lost their funds in the scam. The exact nature and mechanism of the compensation is being finalized and will be shared soon.
We’re accelerating several of our pre-existing security work streams across many of our teams. We will review security practices with all team members again and continue to organize ongoing company-wide phishing exercises and training regularly.
On January 3rd 2022 PT, we discovered a vulnerability in our staking contracts, inadvertently allowing an attacker to mint an unlimited amount of $sILV. The executioner DAO (eDAO) put a temporary pause on sILV minting until the release of Staking V2 where the vulnerability has been fixed. At the time, we believed that we had caught the issue before it could be exploited and that no funds had been compromised. We made an announcement about this on Discord and our socials. The IIP related to this can be found here.
The attacker had been minting tiny amounts of sILV using many addresses over a long period so they would remain undetected. Through this, they were able to mint approximately 8,000 sILV.
After our announcements about the vulnerability and the pausing of sILV minting, the attacker realized we had discovered the exploit and started to sell their sILV tokens and began draining the Uniswap pool.
Immediately upon learning of the attackers’ intent to liquidate their tokens on January 4th 2022 PT, we convened another emergency meeting with the eDAO. The eDAO is in place for emergencies and has the discretion to step in and act immediately and have the Illuvium Council ratify the decision later due to the time restraints required for approving an IIP (per our DAO Governance whitepaper here).
sILV was never created to be bought and traded. sILV was only meant to be used within the Illuvium universe. The only official way to acquire sILV is through staking rewards. The Uniswap sILV pool was made without Illuvium’s involvement and was not seeded or endorsed by Illuvium, making it impossible for the Illuvium team to shut it down. Therefore the eDAO decided the best course of action was to save the liquidity providers.
The attacker had previously submitted limit orders, and the amounts they had would have completely drained the pool and reduced the price of sILV to 0. We wanted to save as much liquidity as possible from the attack and attempted to beat them to it by executing our own swap.
Using its discretionary emergency powers and supermajority approval, the Illuvium eDAO minted 100 million sILV using a multi-signature wallet to remove the liquidity in the Uniswap pool to prevent the attacker from being able to drain the pool.
The attacker removed approximately 335 ETH; the eDAO saved 117 ETH.
After we executed the rescue, we sent out a Discord announcement to inform the community about the situation and to inform everyone to not trade in the sILV pool. We also shared the message across our social channels to get the news out to as many users as possible. Because this Uniswap sILV pool is outside our control, we cannot stop people from interacting with it and can only inform as many users as possible not to buy into the pool.
Our next steps
Fixing the exploit & deprecating sILV
As mentioned, the vulnerability has been fixed within the staking V2 contracts. The exploit only works if they can mint sILV. As a result of this situation, sILV will be deprecated, and the minting of sILV will continue to be disabled until the release of the Staking V2 contracts.
As a reminder to all users, sILV now has no use or utility in Illuvium if you choose to purchase sILV now; we recommend all users not to buy into the Uniswap sILV pool.
We will be minting a new sILV token (temporarily termed ‘sILV V2’) to replace sILV.
Refunding Liquidity Providers (at snapshots 13940652 and 13940833)
We take the financial safety of our token holders very seriously. While the Uniswap sILV pool is unofficial and preventing users from trading into a pool we do not control is not possible, we have taken responsibility in this case as we should not have allowed the attacker to exploit the contracts.
We have taken two snapshots:
1. Attack block: 13940652
2. Rescue block: 13940833
If you held the sILV token at the time of the rescue snapshot 13940833, you are entitled to the same amount of the ‘sILV V2’ token. As long as you provided liquidity at block number 13940652, you will receive your ETH/sILV amounts back as ETH and sILV V2. The founding team has decided to personally reimburse all liquidity providers (LPs) at the attack snapshot 13940652, so there will be no loss to the DAO.
We have completed the analysis with Chainalysis to work out the exact balances that need to be reimbursed, and as soon as the contracts are upgraded, and sILV V2 has been created, we will return all LPs with the new tokens. The council approved, and we are refunding a total of 251.13 ETH & 3984.63 sILV to the LPs.
sILV Buyers (between snapshots 13940652 and 13940833)
We will also be refunding users who performed swaps of ETH-sILV between the attack 13940652 and our rescue 13940833. At the time, there was only a single liquidity provider within a super tight band, and that meant that swaps were only executed at approximately 25–30% off. We believe these traders deserve the benefit of the doubt that they did not know what was happening and were buying the dip until our rescue transaction and announcements went out.
Rather than refunding those users their ETH, we will be refunding them their sILV as that was what they were purchasing. With the council’s approval, we are refunding the 2467 sILV in sILV V2 to sILV buyers between snapshot 13940652 and 13940833.
sILV Sellers (between snapshots 13940652 and 13940833)
If you sold sILV between the attack 13940652 and our rescue 13940833 due to the sudden dip, you will still have your sILV reimbursed. However, the equivalent amount of ETH from the sale will be removed from the sILV reimbursement balance as it was already recovered by the user from the sale. The council agreed and 63.59 ETH was removed from the reimbursement.
Refunding swaps (after snapshot 13940833)
As we could not shut down the pool but only remove the liquidity, users began providing liquidity again, and the attacker was able to continue to drain the pool. We had to then make a decision on whether the DAO would reimburse these users and since this would impact the treasury, it was left with the Illuvium Council.
The Council went through various scenarios considering different grace periods for sILV purchasers after the announcement and the financial impact to the DAO. Read the full IIP here.
The Council voted 5 to 0 and rejected the proposal to compensate those who bought after the rescue transaction. Ultimately, the Illuvium Council feels that if Illuvium decides to reimburse people for things outside the DAO’s control, it sets a dangerous precedent that can potentially harm the project long-term.
The individual rationale behind each councilmembers decision is below:
Council Member Sascha:
“I decided to vote no on this proposal. This has not been a decision made lightly but instead is the result of following community sentiment closely while discussing the topic in a variety of settings, both inside and outside of the council.
While I feel for anyone that got hurt financially and unfairly by this issue because their actions were honest and free of malicious intent, the main goal as council member is still to ensure the longevity and success of this DAO. Setting a precedent here that opens the door for the DAO to refund crypto based losses AFTER it has been clearly stated to stay away from something, is a much bigger risk to the protocol — in my humble opinion. The Illuvium DAO cannot take responsibility for mistakes that people make with their own money unless the fault clearly lies on the side of the DAO. Anything else could create a never-ending drain of funds that quickly could end up severely damaging the protocol.
Furthermore, reimbursing people past the cut-off block would — without a doubt — also reward certain bad actors who deliberately were using the details of the announcement (knowing that anything up to the snapshot is going to be reimbursed) to profit of others who dismissed the idea of DYOR at a time where a pool suddenly dropped by 99%+.
Even more so, I wholeheartedly believe that paying out anything to people an hour past the snapshot would not actually result in a beneficial outcome for the DAO because it would only create even more rage and complaints from anyone who feels deserving of a refund but didn’t make the “one hour past the snapshot cut”. As soon as that door would be opened, where does one actually draw the line?
That’s why I clearly say “no” to the use of DAO funds for reimbursement after the official announcement.”
Council Member DickKingz:
“I have decided to vote no on this proposal for multiple reasons. Community sentiment regarding this subject was one factor in the vote of no. I think the majority of the community felt no was the correct decision because they are the ones that have been here paying attention to the announcements as they come so the majority of them are unaffected by a post snapshot refund. Although I feel terrible for the people that lost money in this situation, I believe that part of decentralization (of crypto in general) is being responsible with your own money. People are still buying sILV today and then coming into the social channels for the first time and demanding a refund and for the team to delist sILV from Uniswap which shows a complete misunderstanding of how defi and decentralization works. If you’re going to to say we should be refunding up to an hour after the block cut off, why stop there why not 6 hours why not 24 hours? It’s a slippery slope that will for sure leave unhappy people somewhere whilst still awarding bad actors that bought post snap shot trying to get a “free lunch”. All of us in the crypto space have had to learn a hard lesson at some point and hopefully in the future the ones that bought post snapshot will be able to learn from this. As a council member one of our jobs is to put Illuvium protocol health above all. Again I am sorry for the folks that were negatively affected by this exploit but DAO funded reimbursement post snapshot is not in the best interest of the community or Illuvium and Through talks with the majority community members this is why I have voted No.”
Council Member Kieran Warwick:
“I voted no on IIP-16 because I don’t think reimbursing people from the DAO is right. I also decided to personally reimburse people who traded in the sILV pool up to an hour after our rescue transaction. I believe this is ample time to have been able to research why the token price had dropped so much, and there needs to be a cut-off point where traders accept responsibility for their trades.”
Council Member Jeff:
“I have voted no on this proposal. It is our responsibility to assess community opinion separately from what is the best long-term outcome for the Illuvium DAO and vote accordingly. With regards to IIP-16, I felt that a ‘no’ vote was both the healthiest outcome for the DAO and observed overwhelming community support for such a vote. There should be no ambiguity in anything the DAO treasury uses funds for nor should we set a precedent that could ever allow for that. Despite being a relatively straightforward vote, I am very aware of the negative impact inflicted upon a minority of community members. A ‘no’ vote should not be interpreted as if we are saying “tough luck”. It is simply inappropriate to utilize DAO funds in this specific situation. It is impossible for any of us to discern the intent of the buyers and sellers after the announcement and the possibility of rewarding malicious actors with DAO funds is not acceptable. I empathize with those unfortunate enough to have traded sILV after the announcement without any ill-intent. It is a harsh lesson, but many of us have been through these sorts of events in crypto and have come out of it all the stronger. I know I certainly have.”
Council Member Santiago:
“Echoing other council members, I have voted no on IIP-16. I believe that the current plan to reimburse LPs and trades before the announcement and rescue transaction is the most fair approach given the clear communication from the team across channels as the situation unfolded. I believe that reimbursing for anything past that sends the wrong message to the vast majority of the community who did not interact in the sILV pool after the series of announcements. It’s hard to evaluate the intent of users who traded post announcement and, while the sum is relatively small, in principle the DAO should not endorse and/or engage in reimbursing potential loses arising from speculation. The power of Web3 is that users are in control and that requires a greater level of responsibility and ownership from all us. The situation is not ideal but believe this is a good test of what the DAO can/should reimburse. These unfortunate events serve as a test of how quickly the team and community responds in the face of adversity and am looking forward to rebuilding any potential trust that may have been lost along the way with the community. Onwards.”
Instead, Illuvium’s founders have decided to reimburse users who have swapped one hour after the rescue snapshot 13940833 personally, as a goodwill gesture. They deeply care about the community and want to provide that one hour grace period and give buyers the benefit of the doubt and compensate users who may have bought into the pool without knowing what had occurred.
This will be paid out in sILV and we will use the price of sILV prior to the initial attack. We will issue the reimbursement once the sILV V2 contract has been launched. We will also be removing the ETH equivalent amount of sILV they received if they sold within the grace period.
Improving security moving forward
Unfortunately, this exploit was missed by multiple parties and not only slipped through our team and our audits but also numerous other projects that forked our contracts. Moving forward, to improve security and mitigate any future bugs/vulnerabilities, we will be conducting three independent audits per contract (one internal and two external). We will also be including a bug bounty program, hiring additional solidity engineers and performing further contract testing and code reviews.
Unfortunately, with the recent attacks, there will be delays regarding the Staking V2 contracts, which inadvertently means a hold on the Land Sale and IlluxiDEX. As sILV is a currency used to purchase land in the land sale, we will ensure all users receive their sILV V2 prior to the land sale, this means we will be launching Staking V2 prior to the Land Sale.
We will share a timeline for the launch of Staking V2 as soon as possible. Based on the recent events, there are several upgrades we would like to make to the contract and then run it through the necessary security audits and reviews that we mentioned above.
We will also need to assess how we are minting sILV V2. While we can quickly generate a new token, we want to explore additional upgrades for safety measures.
Additionally, interacting with Ethereum L1 has become increasingly expensive since we launched; as such, we are discussing several L2 scaling solutions to distribute this new sILV on an L2 to ensure that the cost of converting to the new contract is as minimal as possible for users.
Please note: we will not be making an official pool for sILV V2.
Land Sale / IlluviDEX Timeline
Our current priority is launching Staking V2 and minting the new sILV V2 token, alongside reimbursing our users and allowing investors to claim their sILV V2 before the land sale. We are also exploring running the upcoming land sale on L2 to ensure that all users can participate, no matter how small. We will share an update on the land sale timelines as soon as we have clarity.
We greatly value the trust that our users place in us and will work aggressively to prevent these types of events from occurring in the future and are committed to sharing continued open, honest communications anytime incidents like these happen. We thank you all for your support through this challenging period.
Reminders to avoid scams
While we will do our best to remain as vigilant as possible for attacks, threats continually evolve, and unfortunately, sometimes mistakes will occur (especially as we continue to grow our team from 150+ to 500 core contributors), we ask that all our users and stakeholders remain alert.
The Illuvium DAO always announces our official airdrops in advance. We will never launch stealth mints/drops. Check that our offerings are also announced on other channels like our verified Twitter account: https://twitter.com/illuviumio.
Nobody from the Illuvium team or mod team will ever direct message you with a giveaway or file to download. Illuvium will never ask you to authorize your wallet for a promotion. We will never ask for your passwords or wallet seed phrase, even to help troubleshoot issues you are facing.
Always triple check the exact spelling and domain of web addresses you interact with, Illuvium’s main website is https://www.illuvium.io/, not .com/.net/.org, etc. It is your responsibility to check every time you connect your wallet and authorise any transaction.