OlympusDAO V2 Migration Scams
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
OlympusDAO is a decentralized reserve currency. During the migration to V2, scammers took advantage of the confusion faced by at least one user to trick them out of $20k in funds. There is no indication that any funds have been recovered.
About OlympusDAO
"The Decentralized Reserve Currency. Olympus is building a community-owned decentralized financial infrastructure to bring more stability and transparency for the world."
"Olympus is a decentralized reserve currency protocol based on the OHM token. Each OHM token is backed by a basket of assets (e.g. DAI, FRAX) in the Olympus treasury, giving it an intrinsic value that it cannot fall below. Olympus also introduces unique economic and game-theoretic dynamics into the market through staking and bonding."
"OlympusDAO is an experimental project in the cryptosphere. The DAO manages a token treasury that's used to back the OHM currency. The purpose of the treasury is to make sure the token maintains a certain floor price. If the token drops below that price, the assets in the treasury can be sold to buy back OHM tokens — with the goal to bring its price back above that mark."
"The DAO uses a process for helping the token to stay above that mark called Bonding. The DAO buys assets from investors (to go into the treasury) and issues OHM tokens to replace them. These bonds usually get a 5-10% discount and the tokens are handing out after a vesting period, which is currently set to five days."
Olympus DAO Version 2 And Migration
"V2 migration introduces new features such as on-chain governance and auto-staking for bonds.
Transitioning from sOHM V1 to gOHM allows for multiple bonds to be taken at one time, as opposed to one bond per vesting period as it was in v1."
"Partial liquidity will remain for v1 OHM while the migration is in progress. This provides sufficient liquidity for borrowers to close or move their borrowing position."
The Reality
Many users expressed confusion on the migration process.
"I mean yes you can transfer to gohm, but first of all where is the official page explaining how it works? There is so much confusion surrounding the whole migration. There are problems with the app and website, plus endless posts about not showing in wallet and restaking."
Scammers will actively take advantage of any situation, including a confusing migration.
What Happened
OlympusDAO forum user srht21 reports that their assets worth $20k were taken because they entered a live chat with a scammer instead of real Olympus DAO team members.[9]
| Date | Event | Description |
|---|---|---|
| December 17th, 2021 1:33:00 AM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| December 22nd, 2021 8:37:21 AM MST | Post On OlympusDAO Forum | OlympusDAO forum user srht21 reports on the OlympusDAO Forum that their assets worth $20k were taken because they entered a live chat with a scammer instead of real Olympus DAO team members[9]. |
| December 22nd, 2021 3:38:38 PM MST | Post On OlympusDAO Forum | srht21 posts the same post again a second time. Their original post is unanswered[10]. |
| December 23rd, 2021 5:15:49 AM MST | OlympusDAO Team Responds | kschan, a member of the OlympusDAO team, responds to report that their "forum was raided by scammers recently and [they] have removed those posts". They recommend to use "Discord for any future issues" and remind that "Olympus moderators or administrators will NEVER message you first in Discord"[10]. |
| December 25th, 2021 4:53:01 PM MST | Post On OlympusDAO Forum | srht21 started another separate thread to expand on the impact of their loss and the responsibility they feel the OlympusDao team should have[11]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $20,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Post On OlympusDAO Forum
srht21 posted about their situation on the OlympusDAO Forum[9][10].
The live chat I clicked on to inquire about the V2 migration turned out to be fake and stole all my assets ($20,000) in my wallet. And these malicious hackers have victimized many Olympus investors like me. Will Olympus officials have an explanation on this issue? all these problems happened because people need support due to V2 transition. all our mistake was investing in Olympusdao. Please the Olympus team needs to see this situation and we are waiting for an explanation.
They received a response from the team eventually[10].
Sorry for your lost. Our forum was raided by scammers recently and we have removed those posts. Please use our Discord for any future issues. Remember, Olympus moderators or administrators will NEVER message you first in Discord. So, please ask and get answers only from the public channel.
It appears that the thread was also closed. They put a follow up message on Christmas[11].
My loss is huge because most of my investments are ohms. There are many traders who suffer losses while staking Olympusdao and the Olympusdao team bears great responsibility for these losses. I don't understand why you closed this thread with an apology.because we fell into the trap of hackers while looking for answers to the problems we experienced in the V2 transition.I need help from Olympusdao team regarding this issue.please reply to my message a hacker stole all my hard work and it's just because of the Olympusdao V2 pass.
"Its not that the migration doesnt work and with research the info can be found and completed with relative ease. But if any traditional finance company with 1-2bn AUM did this without an official page on the main website, they would get completely burnt. Imagine if you are an average 40-60 year old having your savings in ohm and to migrate your money you have to rely on going to twitter or discord - forget it. Crypto and ohm especially is hard enough to understand."
Ultimate Outcome
The first thread by srht21 on the OlympusDAO forum was never answered[12] and ultimately deleted. The second thread was closed with an apology. Their third thread got a response from one member of the community[11].
I'm very sorry for your loss. It has to be gut wrenching. I don't speak for anyone in the Dev team here, Im just an Ohmie as well.
Its hard to respond to something like this without telling someone to look at what they did wrong themselves. The Discord, the Forums, almost everything everywhere tells you to be very careful and never follow support links or give out your pass phrase to your digital wallet. You had to have done one of these things that jeopardized your wallet and allowed access. Hell there is one site that required a whole lot of KYC to get set up and I'm scared of it someday coming to bite me.
In the end if you've made a fatal mistake with your wallet, all you can do is create a new digital wallet and start over. Make sure you remove anything else out of that wallet before they get their thieving hands on it too, btw…
Remember,
"If you have a problem, if no one else can help, and if you can find them…..Maybe you can hire The A-Team"….
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
The exact mechanism of the loss is unclear.
No specific policies for individual prevention have yet been identified in this case.
TBD - Unclear exact mechanism of scam.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Introduction - Olympus (Feb 9, 2022)
- ↑ Olympus DAO | The Decentralized Reserve Currency (Feb 9, 2022)
- ↑ https://forum.olympusdao.finance/u/srht21 (Sep 6, 2023)
- ↑ V2 Migration - Olympus (Feb 18, 2022)
- ↑ Olympus V2 Migration - Explained : olympusdao (Feb 18, 2022)
- ↑ Get Ready for Olympus V2 Migration - FAQ! : olympusdao (Feb 18, 2022)
- ↑ Honestly what was OHM thinking with this migration? : olympusdao (Feb 18, 2022)
- ↑ A bit overwhelmed…migration help : olympusdao (Feb 18, 2022)
- ↑ 9.0 9.1 9.2 srht21 - All my assets have been stolen please help! - OlympusDAOForum Archive May 25th, 2022 12:54:24 AM MDT (Feb 9, 2022)
- ↑ 10.0 10.1 10.2 10.3 srht21 - All my assets have been stolen please help! - OlympusDAO Forum (Sep 6, 2023)
- ↑ 11.0 11.1 11.2 srht21 - "My loss is huge because most of my investments are ohms. There are many traders who suffer losses while staking Olympusdao and the Olympusdao team bears great responsibility for these losses. I don't understand why you closed this thread with an apology.because we fell into the trap of hackers while looking for answers to the problems we experienced in the V2 transition.I need help from Olympusdao team regarding this issue.please reply to my message a hacker stole all my hard work and it's just because of the Olympusdao V2 pass." - Olympus DAO Forum (Sep 6, 2023)
- ↑ srht21 - All my assets have been stolen please help! - OlympusDAOForum Archive January 28th, 2023 10:55:53 PM MST (Sep 6, 2023)