$42 000 USD

OCTOBER 2020

GLOBAL

WLEO

DESCRIPTION OF EVENTS

"WLEO is a wrapped version of the LEO token, which runs on the Hive blockchain." "Wrapped LEO (wLEO) is an Ethereum ERC20 token that represents LEO token. Each wLEO is backed by real LEO and can be converted back to LEO at any time." "The price of WLEO is pegged to the LEO token, but as it runs on the Ethereum blockchain, it can be used in smart contracts, and has access to the wider Ethereum ecosystem." "To receive wLEO, send LEO to @wrapped-leo with your Ethereum address as a memo." "To receive LEO, enter your Hive username into "wLEO to LEO" form (front page). You will need MetaMask to interact with smart contract."

 

"The WLEO contract was hacked on October 11, resulting in $42,000 worth of stolen funds. The hacker stole Ethereum (ETH) from decentralized exchange Uniswap’s pool by minting WLEO to himself and swapping it for Ethereum."

 

"What we know is that the hacker in question stole ETH from the pool by minting WLEO to himself and then swapping it into the market for ETH."

 

"The problem was quickly spotted by many users that understood these were false transactions and they removed liquidity from the pool as soon as they found out. This reduced the hacker's ability to steal ETH from the pool." "As the hack was taking place, WLEO users were quick to notice false transactions taking place, and responded by swiftly removing 50% of liquidity from the pool within the hour. A few hours later, over 75% of liquidity was removed from the pool, limiting the returns the hacker has been able to enjoy." "There is a bug that is allowing a hacker to print wLEO without supplying LEO. If you are providing liquidity to the pool your ETH is at risk."

 

"Following the information provided by LeoFinance on Monday, WLEO’s issuing contract/address got exposed, which enabled that unknown hacker to create the Wrapped Leo tokens for himself, which is cashed out in Ether (ETH) from the project’s Uniswap pool." "“From what I keep hearing, this has happened to many other pools on Uniswap. The token issuing contract/address gets exposed and then someone takes advantage of it to mint infinite tokens and rug pull the Uniswap pool to steal the Ethereum,” said Khaleel Kazi, founder of the LEO Finance community, in a report about the hack." "While the LeoFinance team is currently investigating the attack, they said it remains unknown how the project’s contract was exposed."

 

"The ETH was then sent to Binance (Binance has been contacted but there may be nothing they can do since the hacker seems to have used non-kyc'd accounts to receive the ETH)." "Binance has the powers to freeze the hacker's account and help recover the stolen funds. However, it will never be able to help unmask the hacker's identity and bring him to justice because the account has no KYC."

 

"Earlier today, we managed to shut down the contract and withdraw the remaining liquidity from the pool (about 114 ETH)."

 

"It will take us some time to snapshot the balances before the hack and figure out who had withdrawn liquidity vs. who was still in the pool at the time of the hack, but we will continually work on it and keep you posted on the distribution of this ETH back to LPs."

 

"This temporary setback will cause a slight delay in the release of the new LeoFinance UI update. We're still aiming to release it this week, but will focus on fixing the issues with WLEO first along with sorting through the remaining LP balances."

WLEO is a wrapped smart contract around the LEO token. An attacker somehow managed to get ahold of the private key which manages the contract. They used this key to mint a significant amount of WLEO, which they then liquidated.

 

Some of the funds were left in the liquidity pool. It's not clear if affected users recovered more than a small portion of what they had.

HOW COULD THIS HAVE BEEN PREVENTED?

Using a single key held by only one person is poor security. A multi-signature wallet is more secure. It also appears likely that the key was not stored properly.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.