Over the weekend, the smart contracts of Alameda-backed cross-chain bridge ChainSwap were compromised by a hacker in an attack which saw a slew of prominent crypto projects have their ERC-20 and BEP-20 tokens stolen, with the hacker then attempting to liquidate them on decentralised exchanges Uniswap and Pancakeswap.
Events such as these are unfortunate aspects of the crypto industry, which is a fact known all too well by ChainSwap; earlier this month, the platform was subjected to a separate attack which took advantage of another weakness in its code, resulting in $800,000 worth of losses.
In that instance the ChainSwap team were able to work with local police, in conjunction with Huobi and OkeX, and obtain the email address of the hackers. Through a bizarre exchange of emails, the ChainSwap team were then able to convince the hackers to return the majority of stolen tokens, mitigating the losses down from several million to a few hundred thousand dollars.
However, it’s important to point out at this point that in the vast majority of cases there are no negotiations with the hackers, and the victims are not presented with the opportunity to talk the perpetrators into returning any funds. In these instances, the responsibility for alleviating the damages of the situation rests solely on the teams whose projects have been affected.
Any DeFi project which finds itself in the nightmarish situation of being subjected to a hack would be well served to follow the example laid out by OptionRoom over the past few days:
Step 1 - Remain Vigilant
In the Web3.0 space, teams should never let their guard down, and should always operate under the assumption that a hack could be round the corner at any moment. During the ChainSwap incident, OptionRoom managed to detect the protocol breach almost immediately, and as such were able to remove their Uniswap liquidity before the hacker had the opportunity to sell any of the stolen tokens. This resulted in the safe recovery of $443,974, which the project have stated will be used to reimburse liquidity providrrs.
Step 2 - Have a Plan in Place
DeFi projects which haven’t got a “doomsday” plan in place are at best optimistic and at worst naive - even though hacks only affect a very small minority of projects, it’s best practice to safeguard investors and community members as much as possible by having a worst-case-scenario plan ready, should the unthinkable happen and smart contracts get compromised.
In the case of OptionRoom, their plan was to take a snapshot of their token holders’ addresses from before the hack, which will enable them to airdrop holders and liquidity providers with newly minted tokens corresponding to the exact amount they were holding prior to the hack. Due to the preparatory infrastructure which was in place, OptionRoom have begun processing the ETH and BSC logs, and were able to announce this before the hack had made headlines, which brings us on to the final point:
Step 3 - Be Transparent
Arguably the worst thing DeFi projects can do in the aftermath of a hack is to say nothing to their community about it; with rug-pulls and scams lurking around every corner in the space, nothing makes investors more anxious than a team going silent after a sudden and unexpected drop in token price.
While it may be tempting to want to spare your community the full details of an undoubtedly unpleasant situation, honesty truly is the best policy in times like these. In the aftermath of the hack, OptionRoon laid out a comprehensive summary of the situation, along with their plan (see Step 2) for moving forward and making their project and investors whole again.
DeFi hacks, though infrequent, do occur. As with any new and rapidly developing technological advancement, there are always going to be initial holes (however minute) for bad actors to exploit. However, that doesn’t mean that hacks have to spell the end for everyone who falls victim to them; by following three simple steps, DeFi projects massively increase their chances of not just surviving an attack, but thriving after the effects of a hack have subsided. Integral to this is maintaining team credibility, which will ensure community support remains high throughout otherwise highly trying circumstances.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.