Some questions after the exploit

I am not a computer scientist, so I apologize for not using the right words.

I know the problem is being addressed and fixed. I think we are all being understanding and patient. For security, this is not the time to describe the vulnerability or the attack. We know there will eventually be a comprehensive post mortem report.

It is time to recognize the orderly and steady work of the entire team to resolve the issues in the best possible way.

Once the incident is resolved, I personally would like to get answers to these questions that have been coming to me one after the other. I ask them with a lot of respect because I only want the best for Sovryn.

  1. Is there a possibility that the attacker could have received inside information, by people who have worked or currently work at Sovryn? The area of attack may be very precise and targeted.

  2. The vulnerability may have been flagged as a minor weakness or area for improvement by one of the audits performed? If not, is it normal that different audits have overlooked the vulnerability?

  3. How long did it take from the time the attack occurred until it was discovered? Minutes, hours? I am interested to know if there are or could be created control mechanisms that warn of anomalous behavior in very short time ranges to disrupt the attack as quickly as possible. Maybe I am wrong but there were users who alerted the situation before the dapp was put into maintenance.

  4. What contingency measures are in place when the dapp is put into maintenance and there are users who have for example an urgent need to access their borrowed funds, close a trade or protect a position for example. Sometimes users do not have the knowledge to interact against smart contracts. It could happen that during maintenance time there are losses due to the impossibility for users to act.

7 Likes

I think clarity is very important to share with the community so that this doesn’t lead to speculation. I myself have questions on some things like “should these exploits on Sovryn be considered attacks?”

Why exploit and not take the bug bounty reward?:thinking:

  1. Could this be competitors looking to try and discredit sovryn while building a similar product?

  2. Could this be early contributors with bad blood towards sovryn?

  3. Bitcoiners trying to show why Defi is dangerous(hence the timing of rsk attack and sovryn exploit)

  4. Or is this just someone who wants money but doesn’t know about the bug bounty but just knows about us because of increasing eyes on the project?:thinking:

These are all just speculation, but questioningly timely…

The best thing to do is share and be as transparent as possible during times like these as to dissolve rumors or murmurings that only cause riffs and division between community and doesn’t look good to future investors.

Maybe Yago or one of the devs could do a community call and answer some of the questions and fears community members have about the future of rsk, reasons for our own chain, future for Sovryn, etc.

Appreciate the work devs are doing.

Stay Sovryn

6 Likes

postmortem has been published here: Lending Pool Exploit Postmortem: October 2022 | Sovryn

I will try to answer your questions:

  1. Is there a possibility that the attacker could have received inside information, by people who have worked or currently work at Sovryn? The area of attack may be very precise and targeted.

The vulnerability was not known about by, and so could not have ever been discussed amongst, the full-time contributors prior to the exploit, so there was no “inside information” to receive.

  1. The vulnerability may have been flagged as a minor weakness or area for improvement by one of the audits performed? If not, is it normal that different audits have overlooked the vulnerability?

It was not flagged in any audit. It is not unheard of for smart contracts that received an audit to later have a vulnerability discovered/exploited.

There is a timeline in the postmortem. It was a matter of hours. Certainly monitoring systems could be developed, and were already planned to be, unfortunately not soon enough. Needless to say it is a high priority now.

When the frontend is in maintenance mode this usually means the underlying contracts are paused, so cannot be interacted with. That was the case here too. The options were: leave it unpaused, and risk everyone losing all their money, or pause the contracts, and risk some users losing money if e.g. positions go underwater. The latter scenario can be guarded against once the contracts are unpaused e.g. by allowing users a period of time to close positions or top-up collateral before the price oracle is allowed to update, or something like that. The former scenario is obviously unacceptable.

1 Like

Hi John

I read the postmortem as soon as it was published. My lack of education prevented me from understanding many of the explanations. My previous questions were asked from common sense and in non-technical language.

I really appreciate you taking the time to answer them. I never doubted that someone from the team would do so when the time came.

And as for the answers, for me they are complete and credible. That is why I am very reassured and feel that Sovryn has become stronger in this process.

I have no more questions :wink:
Have a nice weekend!

1 Like