8ight Finance Private Key Leak
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
8ight Finance was launching an 8-ball themed DAO on the Harmony blockchain. According to the official story, the private key was shared through Google Docs and Facebook, and either of the two admins had access to it. All $1.75m was taken from the treasury. The team offered to disburse $250k of marketing budget or relaunch a new protocol, and the community voted for a relaunch. Presently, there do not appear to be any updates and the website is offline, though Twitter and Medium are still available.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About 8ight Finance
"Fork of $OHM on $ONE." "8ight Finance is a Decentralized Autonomous Organization (DAO), built by experienced DeFi developers, designers, and researchers." "We are proud to be a part of Defi 2.0."
"8ight Finance is a Decentralized Autonomous Organization (DAO), built by experienced DeFi developers, designers, and researchers. Our goal is to fulfill @danielesesta’s promise that he can’t keep, and also to create a policy-controlled reserve currency system, in which the behavior of the $EIGHT token is controlled by the DAO. Let’s dive into the tokenomics of $EIGHT."
"OlympusDAO, Wonderland.money, KlimaDAO has introduced new tokenomics to the crypto world and has achieved great success over the past year. 8ight Finance is focusing on reducing and maintaining a super fast and cheap protocol’s operation fee which will yield even more in APY for stakers, henceforth more incentives for treasury growth."
"Our 8ight universe will be on the Harmony blockchain. We believe Harmony as an Ethereum scaling solution is the future of DeFi! It is worth mentioning that significant liquidity and a potential growing DeFi ecosystem already exist on Harmony, which should be a strong base for our system."
"Our long-term goal is to be seen as the decentralized reserve currency of Harmony and the broader DeFi ecosystem, an ecosystem we believe is primed for explosive growth." "8ight Finance guarantees to share 33% of the DAO profits to OlympusDAO."
"When $EIGHT market price is below 1 DAI, the protocol buys it back and burns $EIGHT. When $EIGHT market price is above 1 DAI, the protocol mints and sells new $EIGHT."
"This is because the treasury must hold 1 DAI and only 1 DAI for each $EIGHT. Every time the protocol is bought or sold, it makes a profit. That means the protocol either gets more than 1 DAI on the sale side or spends less than 1 DAI on the purchase side."
"The fact that the protocol holds DAI for each token allows us to say with certainty that $EIGHT will not trade below its intrinsic value in the long term."
"Building a solid protocol is hard work, and it requires capital. Audits, development, legal, all of these things need some amount of money to get done. Beyond that, it requires alignment so that contributors feel personally incentivized to give their all."
"The first 1,000 initial discord offering whitelist will be opened on the 30th of October. Everyone can get more entries in the whitelisting program by joining our Discord’s role tasks! The more entries you get, the more likely you will be on the whitelist!"
"We’ve successfully launched and we’re overwhelmed with the support that the community gave us. But no time for rest, our team return to work with the aim of bringing the community the best products"
Homepage: [15]
Medium Post Introduction: [16]
CoinMarketCap: [17]
The Reality
“Two devs in the team have the key, and they were sent through Facebook groups chat and google drive. This is our first project, so we must admit our opsec was low."
What Happened
On December 6th, "Our private key got compromised and the funds have been transferred out of the treasury." "First of all, we are dreadfully sorry for the incident." "8ight Finance, an OHM fork on Harmony that offered to help people affected by the Snowdog DAO rug pull, lost around $1.75 Million in what’s supposedly a private key leak."
| Date | Event | Description |
|---|---|---|
| Transactions from [18] | ||
| December 6th, 2021 9:21:00 PM MST | 8ight Finance Announcement | The 8ight Finance team announces the breach on Twitter[18]. |
| December 8th, 2021 3:08:18 AM MST | FullyCrypto Article Published | FullyCrypto reports that 8ight Finance, a Harmony blockchain project, admitted that its security measures ("opsec") were insufficient after hackers stole approximately $1.73 million worth of stablecoins from its treasury. The breach occurred because private keys to the treasury wallets were shared through Facebook chat and Google Drive. Despite only being launched in October, the project's entire treasury was emptied, with the funds sent to an Ethereum mixing service called Tornado Cash. The project is now working on a recovery plan, which includes creating a new project using the remaining funds and conducting an airdrop for token holders. However, community sentiment remains skeptical due to the security lapse[19]. |
Technical Details
Transaction links: [18]
On December 6th, "Our private key got compromised and the funds have been transferred out of the treasury." "First of all, we are dreadfully sorry for the incident." "8ight Finance, an OHM fork on Harmony that offered to help people affected by the Snowdog DAO rug pull, lost around $1.75 Million in what’s supposedly a private key leak."
“Two devs in the team have the key, and they were sent through Facebook groups chat and google drive. This is our first project, so we must admit our opsec was low. At the time when the withdrawal happened, our team was working on launching the BUSD (4,4) bonds. To be transparent with everyone, we lost a lot of money and time invested in 8ight, and it f*cking hurts to see someone else taking away everything we had built. We delivered everything on time, and we reached out to Harmony, DFK, and a lot of partnerships to try and grow EIGHT. You guys here all know the admin and the mods team worked our a*ses off, but the timing of the market, the downfall of SB and SDOG, OHM bond funds f*cked up the price action, and we tried our best to push and deliver. So our team will take in opinions and decide later on.”
"We had contacted Synapse to find where the money was transferred, and they provided us with this ETH address: 0x4d8071452bF5f629eA1c72E1e42A18aebc04cA1d"
"The money has been sent to Tornado Cash, which is currently untraceable. We are finding the solution to recover from this incident."
Total Amount Lost
The total amount lost has been estimated at $1,750,000 USD.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
"The money has been sent to Tornado Cash, which is currently untraceable. We are finding the solution to recover from this incident."
8ight Finance, a Harmony blockchain project, admitted that its security measures ("opsec") were insufficient after hackers stole approximately $1.73 million worth of stablecoins from its treasury. The breach occurred because private keys to the treasury wallets were shared through Facebook chat and Google Drive. Despite only being launched in October, the project's entire treasury was emptied, with the funds sent to an Ethereum mixing service called Tornado Cash. The project is now working on a recovery plan, which includes creating a new project using the remaining funds and conducting an airdrop for token holders. However, community sentiment remains skeptical due to the security lapse[19].
Ultimate Outcome
"The money has been sent to Tornado Cash, which is currently untraceable. We are finding the solution to recover from this incident."
"The admins of the discord server have assured the investors and members who lost their funds that they wouldn’t go this far to rug the pool. However, since all the money has already been sent to Tornado Cash, it’ll be tough to identify who was actually behind the address used to transfer the funds."
"After the incident, we had conducted the community vote. As proposed by the community, the fund will be used to rebuild a new protocol."
"Our new detail identity is being completed due to the opinions and feedback from the community. Specifically, the new project will establish a multisig from the very start. (multisig is a committee that includes 4 key holders: 2 team members, and 2 mods from the community)."
"Every proposal would need consensus from at least 3/4 key holders, before being executed. Simply put, it will take us about 2.5–3 months to complete all the necessary steps to prepare and roll out the new project’s release."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
Those who used the 8ight protocol were effectively providing their DAI and being issued a new token which promised redemption of that DAI. However, not enough care was taken as to who was being trusted with the DAI assets. In this case, it appears to be incompetence rather than malice, however this goes to highlight the incredible importance of a proper multi-signature wallet and having all key holders trained in proper operational security.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
As identified by the team, it was the lack of a multi-signature wallet and poor operational security that contributed to the loss of the entire project treasury. An industry insurance fund can help determine suitable validators and provide assistance in the event of a breach.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
As identified by the team, it was the lack of a multi-signature wallet and poor operational security that contributed to the loss of the entire project treasury. This type of situation could be completely avoided with a simple review of the security setup for the project. An industry insurance fund can help determine suitable validators and provide assistance in the event of a breach.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://rekt.news/8ight-finance-rekt/ (Jan 3, 2022)
- ↑ @8ight_finance Twitter (Jan 4, 2022)
- ↑ Harmony Blockchain Explorer (Jan 4, 2022)
- ↑ Harmony Blockchain Explorer (Jan 4, 2022)
- ↑ Harmony Blockchain Explorer (Jan 4, 2022)
- ↑ Harmony Blockchain Explorer (Jan 4, 2022)
- ↑ https://medium.com/@eightdao/incident-report-future-plans-ad51c65c66e7 (Jan 4, 2022)
- ↑ https://medium.com/@eightdao/8ight-finance-dev-update-2-97b4afcbd78c (Jan 4, 2022)
- ↑ https://medium.com/@eightdao/welcome-to-the-eight-ignition-phase-d78438577f19 (Jan 4, 2022)
- ↑ https://medium.com/@eightdao/8ight-strategy-planning-d64ffe238356 (Jan 4, 2022)
- ↑ Address 0x4d8071452bF5f629eA1c72E1e42A18aebc04cA1d | Etherscan (Jan 4, 2022)
- ↑ 8ight Finance SCAM ALERT? Only For Those Who Don't Believe. - YouTube (Jan 4, 2022)
- ↑ 8ight Finance Hacked: All Funds in Treasury Withdrawn due to Leak of the Private Key | CoinCodeCap (Jan 4, 2022)
- ↑ Is 8ight Finance A Scam? Or Is 8ight Finance Legit? (Jan 4, 2022)
- ↑ 8ight DAO | The Decentralized Reserve Currency (Jan 4, 2022)
- ↑ https://medium.com/@eightdao/introducing-8ight-finance-a-decentralized-reservation-currency-protocol-3b902ce206a7 (Jan 4, 2022)
- ↑ https://coinmarketcap.com/currencies/8ight-finance/ (Jan 4, 2022)
- ↑ 18.0 18.1 18.2 18.3 8ight Finance - "Our private key got compromised and the funds have been transferred out of the treasury. Detail[s] of the incident provide in threads below. For future information, please join our discord" - Twitter Archive December 6th, 2021 9:22:00 PM MST (Jan 4, 2022)
- ↑ 19.0 19.1 8ight Finance Admits "Opsec Was Low" After Treasury Compromised - FullyCrypto (Jan 4, 2022)
Cite error: <ref> tag with name "aliens-5251" defined in <references> is not used in prior text.