A small and very new project working on developing a crypto trading app, was hacked on or around May the 20th, with 2,578.98 eth stolen and 659,000 Tay tokens.
The stolen eth was the entire amount they raised in or around February in an ICO, with the hacker so seemingly looting everything.
“Today we arrived at the office and found out that we’ve been hacked and all of our funds have been stolen. Not only the balance in ETH (2,578.98 ETH), but also the TAY tokens from the Team and Bounty pools.
The only tokens that were not stolen are the ones from the Founders’ and Advisors’ pools, because there’s a vesting contract making them inaccessible for now.”
The above is the address where the tokens still stand and it belongs to the hacker according to Taylor.
As can be seen above, the hacker/s tried or did send some eth to a decentralized ethereum based exchange called IDEX. Taylor said they contacted the exchange and asked them to delist Tay.
What exactly happened here is a bit of a mystery. The project claims to have a number of solidity devs who, you’d think, would know the basics of coin security. Philip Daian of Cornell says:
“If you’re running an ICO or storing large amounts of cryptocurrency, for the love of God hire competent people to look at your funds storage. There is *absolutely no* reason a token raise should keep >5% hot. And risks are just beginning (haven’t even hit physical opsec realm).”
That physical realm can probably be addressed by coding the eth in such a way as to either make their movement difficult, to require a number of individuals or locations access, or maybe even to make them somehow reversible.
Something which the team seems to know how to do because they say the Founders’ and Advisors’ tokens were not stolen because there’s a vesting contract making them inaccessible for now.
The token’s advisors seem to be primarily crypto-traders who apparently also like to call themselves influencers even though we’re not quite sure what exactly they influence.
Certainly not security, but Taylor says they’ll keep charging on despite now presumably having no money. How they’ll do so, we do not know.
In public places suspicion runs high this might have been an exit scam, but why bother with the scam bit rather than just exit by not delivering or lazying off, we do not know.
We doubt therefore the suggestion, if we are to assume the team is made of individuals with some sense. Yet there are calls for an audit, or a report, or an investigation to determine just what exactly happened.
That would very much assist, but again how exactly they pay for it is unclear at this stage. But at least some things are clear.
One of them is, take “influencers” and whatever they say with a
pinch mountain of salt. Not because we suspect anything, but because crypto trading and influencer shouldn’t really be within the same sentence.
More importantly however, if we take all this at face value and ignore clear incompetence or gross and even reckless negligence, the lesson here is that security is far from a luxury in the crypto space.
Little, if anything, comes before it and while in some instances such lapses are eventually excusable, they do tend to take a tall on reputation where it concerns such matters as holding others money.
Because while say trustnodes might be hacked for five minutes and fools no one with no one caring one bit, when it comes to exchanges or smart contracts, the damage is often irreversible.
Which is why the ecosystem has spent considerable resources on best practices to secure your coins, with rule number one being keep it offline, and rule number two being chop the key in a Shamir’s Secret way and send or store parts of it into many different locations.
Otherwise, the question is never whether you will be hacked, but considering the global nature of access to the digital gold, the only question is when.