$5 700 000 USD
DESCRIPTION OF EVENTS
"Roll is blockchain infrastructure for social money." "Roll enables creators to mint and distribute their own social currency under the ERC-20 standard and then determine the ways in which their communities can earn and spend that social currency." "The Roll network mints branded digital tokens unique to your online presence, allowing you to own, control and coordinate the value you create across platforms." "For example, users might be able to redeem the social currency for access to the currency’s creator."
"In a call with TechCrunch this week, Roll executives confirmed its infrastructure never underwent a security audit, a process designed to help find and fix vulnerabilities, prior to its launch."
"Roll disclosed a hacker had stolen $5.7 million from its hot wallet, a little over a year after the company launched." "The hacker then sold the tokens on Uniswap, a crypto exchange platform." "According to MyCrypto.com, the malicious entity that executed the Roll hack is now sending hundreds of ether (ETH, -17.28%) to Tornado Cash, an Ethereum-based privacy tool used by hackers to cover tracks and withdrawn funds." "Roll said the hack seems to have occurred via a compromise of one of the wallet’s “private keys,” which is the equivalent of someone learning your master password."
"“This incident was a big setback for us, we will revamp a lot of infrastructure around this that we have in place to prevent something like this from happening again,” said Roll’s chief technology officer Sid Kalla, who oversees cybersecurity because the company does not have dedicated staff."
"It is hard to put into words how devastating this is and we are really sorry about what happened. We take security very seriously and strive to earn the trust of our creators and communities with their social money but today we messed up."
"As soon as we became aware of the attack, our first priority was secure all the remaining tokens. We transferred all the remaining social money into our multisig and disabled all external withdraw transactions to ETH addresses. Beyond the 42 tokens above, the over 300+ tokens have not been affected. Those remain safe in our multisig. There are no additional tokens in the compromised hot wallet."
"Roll has apparently angered some followers by not immediately offering a full refund of the losses incurred. Instead, it has opened a $500,000 pool to “help the creators and their communities affected by this,” though details on how that pool works aren’t readily available on its site."
"We created a $750,000 fund internally to help creators and their communities affected by this. There is no single way to make this fair to all the affected parties – creators, their community, and the Uniswap LPs. We deployed the ETH to help as many communities as we could by directly buying the social money from the Uniswap pools. This was essentially a counter-trade to the attacker."
"Your balances for the 42 tokens that were affected will be compensated. Your balance on the Roll app for these tokens is currently up to date and accurate. You can continue to be LPs of the social money on Uniswap. The attacker does not hold any of the 42 tokens anymore."
"[W]e’ve spent a large portion of the last two weeks listening not only to the 42 creators that were affected, but hundreds of Roll community members that have gathered in our discord, emailed us, been vocal on twitter, hopped on a call, provided support, criticism and suggestions on how Roll can be better not only for creators, the the millions of users we wish to serve in the coming year. We see you and we hear you."
"We are significantly enhancing the security around the hot wallet key management. We are leveraging AWS provided Hardware Security Modules (HSMs) to hold the private keys to our hot wallet. The keys will not leave the HSM module but can be used to sign and send the transactions back to our blockchain services, which will then submit the transaction to the blockchain. The code that interacts with the HSM signing will be locked down both from an access control point of view and any code updates as well to provide extra security. The service will authenticate all requests via a certificate to make sure the caller is legitimate. In addition, it will only sign certain type of whitelisted transaction types such as withdraw of an ERC20 token."
Roll was a tool that you could use to create your own token easily. For example, a celebrity can create a token that gives their fans special perks such as the ability to meet them after the show.
It was thought that it would be a good idea to store all the tokens in the same wallet, and that wallet was not stored offline. The team had limited security experience and training.
Eventually, a hacker got in, took, and sold all the tokens, stealing the funds. They repurchased the tokens from the markets for the cheap price and later relaunched a new more secure platform.
HOW COULD THIS HAVE BEEN PREVENTED?
The new setup has the keys stored offline and sets up a multi-signature wallet, so that multiple members of the team have to sign for a withdrawal to occur. This is a significantly more secure setup.
Rekt - Leaderboard (May 13)
Rekt - Roll - REKT (May 16)
Roll still doesn’t know how its hot wallet was hacked – TechCrunch | Business Blockchain HQ (May 18)
Why Terry Crews is launching a social currency – TechCrunch (May 18)
Roll - The new standard in social money (May 18)
Roll Raises Another $1M to Make Money Social - CoinDesk (May 18)
Roll still doesn’t know how its hot wallet was hacked – TechCrunch (May 19)
Hacker Steals $5.7 Million From Social Token Startup Roll (May 19)
@karma_dao Twitter (May 19)
Security Incident Update - Roll - the new standard in social money (May 19)
Security Incident - Roll - the new standard in social money (May 19)
Social Tokens Crash After Reported Hack at Roll - CoinDesk (May 19)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
A $5.7 Million Crypto Heist Sent Social Tokens into Free Fall - Decrypt (Aug 11)
@amanusk_ Twitter (Jul 23)
https://etherscan.io/tx/0x5ebcf5b1ff3b5bf8988668b8ec89a4d3cbfcd2c10308f8b16fb44c0b7bccce3c (Jul 23)
@FrankResearcher Twitter (Jul 23)
https://etherscan.io/address/0x6060b77a5d8309eb36374198e197072205ea2bb3 (Jul 23)
@FrankResearcher Twitter (Jul 23)