You are viewing a single comment's thread from:

RE: LEO Roundtable: WLEO Hack Aftermath and Rebuilding

in LeoFinance4 years ago

I'm glad you guys are deferring another wrapped token, but are there any leads as to how exactly this happened? It seems like you guys are jumping the gun if you're talking about making victims whole while the exact cause has not been discovered yet.

I understand that this is still fresh. And it makes sense to discuss responses and mitigations. But if the root cause has not been discovered, what assurance do we have that another pair will not be compromised?

If the keys were compromised, this is a problem that will happen again and again, regardless of any pool configuration or coding, if the same security practices are in place. In fact, uniswap would be completely irrelevant, if that's the case.

Since LeoDex is an exchange, if the keys were compromised, uniswap is beside the point entirely, except that it just so happens to allow the attack to obtain something of value (ETH). What happened here is a $120,000 penetration test. I hope it was worth it.

What I mean is, imagine LeoDex offered its own pegged Hive Engine token, like LEO.ETH. It's not uniswap. But it's just as vulnerable to key compromises, as this "pentest" shows.

The price of this attack could have been worth it if it indeed revealed a critical flaw in your security. I am enthusiastic about Leo. I want to see success. But I would need some assurances in order to take it seriously moving forward.

Although multi-sig sounds like a good route, it doesn't fully answer the original question.

Posted Using LeoFinance Beta

Sort:  

Completely agree that finding the cause should be the priority. Some people I know have said that unless a plan to ensure that this type of stuff won't happen again is put in place, they don't want to use LEO products. And who can blame them? When money is involved, security is a big concern.

Posted Using LeoFinance Beta

I don't know enough about Ethereum smart contracts, so forgive me if this is a stupid question: If it turns out the keys were compromised and there's nothing wrong with the actual contract, does that mean we can just pick up where we left off on the wLEO-wETH pool, and change nothing, apart from the key involved?

Or is the compromised (public) key somehow hard-coded into the contract in some way, thereby requiring a replacement contract?

I don't know myself either. I'm not a big user of ETH. I'd wait for someone who know to come around to answer it.

Posted Using LeoFinance Beta

Very good constructive criticism. The team is working hard on how to move forward as you know. Many have shown their support and faith in the LeoFinance projects and currently the trading has reflected that.

I really don't know that this was a pen test as it was not performed by an ethical hacker. That is my understanding after reading the blogs and watching the videos concerning this event.

There are few that would offer to compensate folks for their losses.

Posted Using LeoFinance Beta

I think it's a good demonstration of what can be expected if a stable pool is ever achieved. A good dry-run, so to speak.

And as @nealmcspadden pointed out in the video, the pool's performance is entirely independent of the analytics/ad revenue goals, which is very encouraging.

Thanks to Providence this happened before a major exchange was about to list wLEO. The Crypto Gods evidently like LEO Finance.

image.png

Posted Using LeoFinance Beta