CryptoCart — Post Mortem and Recovery Timeline

As part of our recovery procedures following the breach that caused liquidity to be pulled from the CC ERC20 pool in the early hours of the 1st of November, we have carried out sleepless hours of investigation in order to better understand how such a breach occurred and how to completely prevent a breach from happening in future. With our own internal research and some external advice we will further outline what measures will be taken to ensure that such a breach in security can never happen again.

Here is a short timeline establishing the facts of what happened.

- Four minutes prior to this, the following Binance address added Ethereum to the deployer address: 0xBdaEda8ED778c126f81a4Ae06B6a1b5d6152b278

- We have reached out to Binance explaining the situation to assist with this further.

- 328 Ether was removed, separated into three wallets, and funnelled through Tornado Cash.

- The team were alerted approximately 30–45 minutes after this took place and a snapshot was immediately taken.

- By 14:56 on the same day, while investigations were under way, 309 Ether was sent back to the deployer in three separate transactions.

- All recovered funds were then moved offline, into a fresh hardware wallet for safekeeping whilst plans for a relaunch are in progress.

- Those responsible for the breach have not reached out since returning the funds, and we still encourage them to make contact.

Identifying Security Flaws and learning lessons.

After running extensive security checks on all devices owned by team members who have control or access to the deployer wallet address, we have come to the conclusion that an internal device in which the private key was saved was compromised, resulting in the private key being compromised to an unauthorized person, consequently allowing them to gain full access to the deployer wallet and carry out the transactions that they did.

Furthermore, another security flaw identified is that the deployer wallet did not have a multi-sig. This allowed the perpetrator to act autonomously.

With these security flaws in mind, as a first step and with the funds now secure, all devices have been individually checked, scanned, wiped of any sensitive data, and restored to factory with multiple additional layers of security software to remove all possibility of a compromise on the devices happening again. Furthermore, we will outline the next steps we will take to ensure this can never happen again.

Preventing breaches in future — Security Improvements

Our new approach will include the five following key measures for the prevention of a breach;

Multi-Sig Wallet
This security feature will only allow a transaction to happen when it is approved by multiple owners of the wallet, preventing an unauthorized person from being able to carry out any kind of transaction as they would need full approval from other owners of the wallet for the transaction to go through. Therefore, if an unrecognized transaction is requested, it cannot complete without authorization from the real owners of the wallet.

Permanently Locking Liquidity
This measure will prevent the liquidity from ever unlocking, meaning it can never be pulled even if the private key to the deployer is compromised. This is one of the most important features moving forward for the re-launch. Liquidity on the new V2 contract will be locked forever.

Renounced Ownership
By renouncing ownership to the new smart contract, there will be no special privileges granted to anyone who created the contract. Therefore, even if the private key were to be compromised, it would be impossible for an unauthorized person to carry out any dangerous or nefarious actions on the smart contract.

Improved Device Security
All core team members have had their devices checked, scanned, and had bare-metal restores done. This prevents any ongoing access to devices by hackers, bad actors, malware, or backdoors. Additionally, moving forward, all
sensitive information will never be stored on an owned device, including private keys. Once the deployer wallet is renounced, all private keys that were physically scribed offline will be permanently destroyed.

True Decentralization
With renouncing ownership of the smart contract, this will essentially make CryptoCart a completely decentralized, community driven project. There will be no owners that will be able to control the smart contract and therefore no single points of failure or vulnerability. Complete ownership will be with the community. This does not mean that the team won’t continue to drive the project forward. Everything will remain the same, the only difference will be is that it will be physically impossible for the liquidity to get stolen again, and protected from any exploits or hacks going forward.

As the core team you know today, our roles will remain the same. We will continue to develop, roll out updates, build the ecosystem, secure partnerships, and continue marketing. The only difference is that there are no “owners” or central point of control for the smart contracts, making it truly decentralized.

All of the measures outlined above will be applied to every official CryptoCart wallet, for example the Vault and GiftCard wallets

The Roadmap Ahead — Recovery and Summary

1. Secure & Investigate
2. Learn & Prevent
3. Audit & Redeploy
4. Airdrop & Automation

Firstly, we have secured and investigated all aspects of this breach with all of the resources we could pull together, resulting in this post-mortem article.

Secondly, we have learned our lessons, identified security risks, and have implemented several preventative measures moving forward to ensure complete safety and ensure this never can happen again.

Thirdly, we are in the stage now, as of writing this post-mortem, of having our V2 smart contract created from the ground up and audited. With the third stage, we have brainstormed how best to achieve anti-dump measures on the re-launch using the recovered funds and will release further information about this in due course before we go live. Additionally, we would like to note that all smart contracts relevant to the V2 relaunch will be redeployed, such as staking and bridging contracts.

Finally, the team are going through all historical transactions block-by-block using a script to ensure that we can reimburse everybody who lost funds before the fact and also deal with edge cases. This allows us to comprehensively draw a full picture of impact, block by block, to include stakers, people who panic sold immediately after the breach, and people who bought in after it happened.

What about BSC?

The bridge will remain closed until the V2 BSC CC contract is deployed and funded using V1 BSC CC liquidity. We would like to reiterate that you should not be buying any V1 tokens on any blockchain. Whilst we are certain the BSC side is unaffected, we advise not to be trading of the V1 token until the same security additions are put in place.

Liquidity for the V1 BSC CC token is unlocked on January 18th 2022 at 12:00 UTC. Therefore, our plan with this will be taking a snapshot at that exact time and date, redeploying the V2 contract, removing liquidity from V1 and supplying liquidity, airdropping all holders, and opening up the bridge again.
Ample notification will be given to all holders leading up to and before any of this takes place.

Final words from the team

We would also like to thank each and every one of you who believes in our mission for standing by us throughout all of this. Whilst this could have turned out very differently at multiple stages, we are thankful that we had the opportunity to learn from this attack, and are grateful that this has now driven new innovation that ultimately leads to making CryptoCart safer and stronger moving forward. We are excited to continue on with fulfilling absolutely every objective we initially set, including automation as the next step after relaunch, followed by ongoing integrations, and partnerships.

Thank you for supporting us.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store