WLEO Contract Hack
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
WLEO is a wrapped smart contract around the LEO token. An attacker somehow managed to get ahold of the private key which manages the contract. They used this key to mint a significant amount of WLEO, which they then liquidated.
Some of the funds were left in the liquidity pool. It's not clear if affected users recovered more than a small portion of what they had.
This is a global/international case not involving a specific country.
About WLEO
"WLEO is a wrapped version of the LEO token, which runs on the Hive blockchain." "Wrapped LEO (wLEO) is an Ethereum ERC20 token that represents LEO token. Each wLEO is backed by real LEO and can be converted back to LEO at any time." "The price of WLEO is pegged to the LEO token, but as it runs on the Ethereum blockchain, it can be used in smart contracts, and has access to the wider Ethereum ecosystem." "To receive wLEO, send LEO to @wrapped-leo with your Ethereum address as a memo." "To receive LEO, enter your Hive username into "wLEO to LEO" form (front page). You will need MetaMask to interact with smart contract."
"The WLEO contract was hacked on October 11, resulting in $42,000 worth of stolen funds. The hacker stole Ethereum (ETH) from decentralized exchange Uniswap’s pool by minting WLEO to himself and swapping it for Ethereum."
"What we know is that the hacker in question stole ETH from the pool by minting WLEO to himself and then swapping it into the market for ETH."
"The problem was quickly spotted by many users that understood these were false transactions and they removed liquidity from the pool as soon as they found out. This reduced the hacker's ability to steal ETH from the pool." "As the hack was taking place, WLEO users were quick to notice false transactions taking place, and responded by swiftly removing 50% of liquidity from the pool within the hour. A few hours later, over 75% of liquidity was removed from the pool, limiting the returns the hacker has been able to enjoy." "There is a bug that is allowing a hacker to print wLEO without supplying LEO. If you are providing liquidity to the pool your ETH is at risk."
"Following the information provided by LeoFinance on Monday, WLEO’s issuing contract/address got exposed, which enabled that unknown hacker to create the Wrapped Leo tokens for himself, which is cashed out in Ether (ETH) from the project’s Uniswap pool." "“From what I keep hearing, this has happened to many other pools on Uniswap. The token issuing contract/address gets exposed and then someone takes advantage of it to mint infinite tokens and rug pull the Uniswap pool to steal the Ethereum,” said Khaleel Kazi, founder of the LEO Finance community, in a report about the hack." "While the LeoFinance team is currently investigating the attack, they said it remains unknown how the project’s contract was exposed."
"The ETH was then sent to Binance (Binance has been contacted but there may be nothing they can do since the hacker seems to have used non-kyc'd accounts to receive the ETH)." "Binance has the powers to freeze the hacker's account and help recover the stolen funds. However, it will never be able to help unmask the hacker's identity and bring him to justice because the account has no KYC."
"Earlier today, we managed to shut down the contract and withdraw the remaining liquidity from the pool (about 114 ETH)."
"It will take us some time to snapshot the balances before the hack and figure out who had withdrawn liquidity vs. who was still in the pool at the time of the hack, but we will continually work on it and keep you posted on the distribution of this ETH back to LPs."
"This temporary setback will cause a slight delay in the release of the new LeoFinance UI update. We're still aiming to release it this week, but will focus on fixing the issues with WLEO first along with sorting through the remaining LP balances."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| October 11th, 2020 12:00:00 AM | First Event | This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
It is unknown how much was recovered.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Using a single key held by only one person is poor security. A multi-signature wallet is more secure. It also appears likely that the key was not stored properly.
References
Crypto Hacks 2020: A Comprehensive List - ImmuneBytes (May 17)
wLEO was Hacked on Ethereum (May 23)
WLEO Market Maintain the Trading Range Market Come Down to this Support Area on the 25th of April (May 23)
Wrapped LEO - FAQ (May 23)
Ethereum Project WLEO Hacked for $42,000 - Decrypt (May 23)
wLEO Was Hacked on Ethereum | Thank You Everyone for the Amazing Support (May 23)
Address 0x8c9a02c89c96940e377052a9be0c7326f89a2495 | Etherscan (May 23)
DeFi project hacked again: WLEO loses $42,000 to recent hacker | Cryptopolitan (May 23)
WLEO Hack and the KYC Question (May 23)
Remove Your Liquidity From WLEO Now Compromised (May 23)
WLeo was Hacked My Thoughts and Opinions (May 23)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 19)
SlowMist Hacked - SlowMist Zone (May 17)