Completely and Utterly Hacked Off Our Feet
On June 22nd, 2021, the unthinkable happened.
At 5:00 am the it was brought to our attention. The Haven network – a project our core team had dedicated countless hours to – was hacked.
In an instant, more than $50-million in assets had been stolen. With millions lost, and the entire project threatened, it would have been enough to knock most projects down and out.
Only that didn’t happen.
As is true in life, so it is true in defi. It’s not how many times you get knocked down that matters. It’s how many times you get back up.
This is the true story of how our cryptocurrency was hacked for over $50-million and how our open source team and contributors banded together to overcome the destruction and make the project stronger.
How It Started
One of the many challenges that plague the crypto industry today is extreme volatility. It’s not uncommon to see significant price increases and decreases, of 30%, 40%, or more, happen in a matter of a few days or hours. As a result, many familiar with the industry turn to stablecoins to stabilize and protect the value of their portfolio.
When I began my cryptocurrency journey I too thought this was the way. Only I quickly realized that what one investor gains in stability with traditional stable coins, they give up in privacy. And this frightened me.
At the time, every stablecoin on the market was public and traceable. This means that anyone who wants to view my transactions, can. Nefarious actors, hackers, and even the government could easily peer into my wallet without my permission, gaining information to a frightening degree.
Furthermore, traditional stablecoins are all managed by private entities. Some of which have actually frozen accounts of those who they deemed ‘unsuitable’. Legitimate or not, this didn’t sit well with me.
Of course, there are projects like Monero, which offer incredible privacy and security. The main drawback is that these coins are subject to the highs and lows associated with the volatility of the crypto market, and thus do not offer stability from the volatility of the market.
I wanted to ensure the confidentiality of my transactions while protecting myself against the volatility of the market. What I wanted, a stablecoin that offered me Monero-like privacy simply didn’t exist.
That was until Haven.
Once announced that they’d be releasing a Monero-based private stablecoin I dove in, immersing myself in the project completely. I, like others on the team, left fantastic careers, thriving businesses, and potential opportunities to pursue a true digital cash that offered both privacy and stability.
Which is why at 5:00 am, when I got the call, it seemed that everything we had strived for was about to come crashing down.
It was well-thought-out, aggressive, and very sophisticated.
The hacker had discovered a previously undiscovered vulnerability in the code that allowed them to create significantly higher mining rewards for each block that was mined. With increased block rewards, the hacker was able to mint much more than should have been due.
The exploit allowed the hacker to extract millions.
But this was only the first attack to be exploited.
Nearly a week later, another vulnerability was discovered which allowed the hacker to create counterfeit coins. This was far more damaging than the first.
Hundreds of thousands of counterfeit assets were minted worth tens of millions of dollars. If sold on the open market, it threatened the tokenomics of the project and would likely devalue Haven’s digital currency to zero.
The realization that everything I had worked for, everything our community had worked tirelessly for, could be gone in an instant, was a shock.
Years of hard work had been spent building the protocol, figuring out the math, and developing the framework.
Team members had given up fantastic careers at large tech companies, had exited thriving businesses, and had delayed families to pursue this project. The community had grown, from a small group of idealists to a powerful, diverse group of thousands.
And yet in the span of just a week, a hacker was threatening to take the entire project down – siphoning tens of millions of dollars from the community in the process.
If the hacker was to be successful, Haven as a cryptocurrency and a project would have been finished. We knew we couldn’t let this happen. We had to respond the right way, and we had to respond quickly.
When considering an open-source project two of the main points that should be considered are the skills of the core team and the strength of the community.
A strong core team allows the project to quickly maneuver, develop solutions, and adapt. A strong community adds resilience, additional strength, and antifragility. And yet even when an open-source project has both, there may still be extreme measures that must be taken to protect the overall value of the project.
Haven had both – a skillful core team, and a strong community – and yet we still needed to take drastic measures to protect the idea of a privacy-focused stable coin.
Here’s what we did to mitigate the damage of the attack:
First – we contacted all of our exchange partners and let them know of the situation. This included KuCoin, TradeOgre, and Bittrex. We asked them to temporarily block the trading of XHV and freeze any movement of xAssets and XHV coins. This was necessary to prevent any deposits, withdrawals, and sale of stolen assets.
Second – we had to address the vulnerabilities in the system and minimize the damage of the attack. This meant taking the unavoidable and extreme measure of disabling an aspect of the Haven protocol. This move, disabling the part of the protocol that was responsible for conversion metrics, in essence, blocked the hacker from being able to convert or withdraw funds.
Third – We released a code fork. This fork would enable transfers and withdrawals but temporarily fixed the exploit attack vector.
Fourth – after many long hours of deliberation, we made a difficult proposal to the community, which was met with overwhelming approval: We would take the drastic action of rolling back the Haven blockchain.
Doing so would reverse the transactions that took place after the attack and would also help remove the inflation caused by the exploits. Even though the tactic we were suggesting presented short-term issues to overcome, our core team and community understood that it was for the overall well-being of the project, and voted this in accordingly.
Rolling back the blockchain, along with a mitigation plan to fix the exploited vulnerabilities and provide our community with better security and testing, allowed us to finally move forward.
The process outlined above proved to be no easy task, as the hacker openly taunted our community on Discord and continued to sow seeds of doubt amongst the community. Even after attempts to reach out and offer a bounty for the uncovered exploits, the attacker wasn’t interested in communicating nor partnering with us.
Our core team and community worked frantically to assure a mitigation plan was in place and that steps were being taken to address the situation. As per any strong community, through all the uncertainty and challenges our core team stood fast.
So what did we learn and why does it matter?
For starters, we’ve made deliberate and substantial changes to the way we test the protocol. We’ve hired experts and auditors from CypherStack, arguably the best in the business, to ensure the privacy and security of the project.
Additional validation methods have been added to the protocol, in parallel with an entire code refactor and overhaul – a process that took 1,000s of working hours. Peer review, auditing, and future protocol improvements can now scale up in ways that were never possible before.
We’ve also launched a Bug Bounty Program that rewards developers who discover ways to make the protocol stronger with incentives up to $100,000.
And we have leveraged our community for more support and insight.
In pushing forward on this journey to create a truly private stablecoin, we have learnt that the road is going to be filled with many ups and downs. Throughout this process, we have rebuilt the Haven protocol to be stronger and more resilient and have learnt that for any open source project to succeed, you need the support of many driven and committed people in your community.
AHawk discovered Haven Protocol in 2018 and has been a community leader for the project since 2019. As a crypto investor and enthusiast, he believes the concept of a Monero-based private stablecoin ecosystem will truly revolutionize how people protect their financial privacy and interact with crypto in the years ahead. You can learn more about the Haven Protocol and the community by going here: https://havenprotocol.org/