Stader__NEAR Incident Report — 08/16/2022

Dear Stader Near Community,

Stader__NEAR Incident Report — 08/16/2022
Pic Credit: http://pikespeak.ai/

Dear Stader Near Community,

Today morning (Aug. 16 2022), around 9:30 AM EST, a vulnerability in Stader’s NearX smart contract was exploited. Our team intervened quickly and managed to contain the exploit in a short span of time, fixing the issue and protecting most of the user’s funds. Many thanks to the Ref Finance team for supporting us with this.

Our team along with security experts are evaluating options to secure user’s funds and we will share a detailed plan within a couple of days.

Here is what happened

  1. Stader’s smart contract on NEAR had a vulnerability related to $NearX minting. The attacker (“gregoshes.near”) exploited this and minted 20 Mn $NearX by transferring $NearX to his/her own address in a loop without any corresponding $NEAR staked against it.
  2. This minted $NearX was then used to drain all the $NEAR liquidity from Near<>NearX liquidity pools at Ref Finance & Jumbo Exchange by swapping the $NearX for $NEAR.
  3. We paused the NearX smart contract immediately and stopped all transactions of $NearX. This prevented further attack on Stader’s smart contract and any transactions on the DEXs.
  4. We estimate that the attacker made about ~165k Near using the exploit. We are indexing all the transactions to further ascertain these numbers.

What happens to users’ funds?

The ~2.5Mn $Near staked on the Stader dapp is completely secure with the validators and the attack had no impact on it.

The losses pertain largely to the $Near liquidity in the LPs. The Stader team is indexing the full list of transactions involving $NearX to ascertain the complete extent of funds lost on DEXs. Once we have completed this exercise, we will share full details.

We assure our users that we will ensure the funds are safe and do our best to identify and recover the losses.

What are we doing immediately regarding security?

Stader Labs has deployed multiple smart contracts across 7 blockchains and such a security breach at Stader has been unprecedented. The NearX incident is specific to the design of the NearX contract and has no impact or implication on our contracts across other blockchains.

Stader treats security as paramount and provides Two-Fold Security on its NearX smart contract. We are the first liquid staking protocol on NEAR blockchain to be audited by two leading cyber security firms, Halborn and Blocksec.

However, each exploit is a learning experience for us and we will ensure further stringent security practices. We have taken the following measures immediately:

  1. We have paused any operations on the NearX contracts until further notice. Booster rewards are also paused.
  2. We are working closely with the security experts at Halborn and BlockSec to further investigate the issue and stress test the contracts.
  3. We are accelerating the launch of a bug bounty program, in association with Immunefi, on NearX contracts for Whitehat professionals.
  4. A cyber law agency has also been onboarded to investigate the matter and take commensurate legal action.

We are grateful to our community for their patience and support through this. We are working towards an appropriate resolution for this as soon as possible.

Our Note to The Attacker(s):

Stader Labs aims to provide the suspect an opportunity to return all funds and avoid legal action. We hence request the holder of “gregoshes.near” to reach out to us at admin@staderlabs.com and return the funds to the wallet address: ceea6b0e6b4f39432ab9160fc6f057a695557b6b547f7e9e23440fd4f8b14557.

We are offering a bounty of $150,000 for full co-operation.

This offer remains open till 23rd August, 2022 4 PM UTC.