Try Roll Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Roll

Roll was a tool that you could use to create your own token easily. For example, a celebrity can create a token that gives their fans special perks such as the ability to meet them after the show.

It was thought that it would be a good idea to store all the tokens in the same wallet, and that wallet was not stored offline. The team had limited security experience and training.

Eventually, a hacker got in, took, and sold all the tokens, stealing the funds. They repurchased the tokens from the markets for the cheap price and later relaunched a new more secure platform.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]

About Roll

"Roll is blockchain infrastructure for social money." "Roll enables creators to mint and distribute their own social currency under the ERC-20 standard and then determine the ways in which their communities can earn and spend that social currency." "The Roll network mints branded digital tokens unique to your online presence, allowing you to own, control and coordinate the value you create across platforms." "For example, users might be able to redeem the social currency for access to the currency’s creator."

"In a call with TechCrunch this week, Roll executives confirmed its infrastructure never underwent a security audit, a process designed to help find and fix vulnerabilities, prior to its launch."

"Roll disclosed a hacker had stolen $5.7 million from its hot wallet, a little over a year after the company launched." "The hacker then sold the tokens on Uniswap, a crypto exchange platform." "According to MyCrypto.com, the malicious entity that executed the Roll hack is now sending hundreds of ether (ETH, -17.28%) to Tornado Cash, an Ethereum-based privacy tool used by hackers to cover tracks and withdrawn funds." "Roll said the hack seems to have occurred via a compromise of one of the wallet’s “private keys,” which is the equivalent of someone learning your master password."

"“This incident was a big setback for us, we will revamp a lot of infrastructure around this that we have in place to prevent something like this from happening again,” said Roll’s chief technology officer Sid Kalla, who oversees cybersecurity because the company does not have dedicated staff."

"It is hard to put into words how devastating this is and we are really sorry about what happened. We take security very seriously and strive to earn the trust of our creators and communities with their social money but today we messed up."

"As soon as we became aware of the attack, our first priority was secure all the remaining tokens. We transferred all the remaining social money into our multisig and disabled all external withdraw transactions to ETH addresses. Beyond the 42 tokens above, the over 300+ tokens have not been affected. Those remain safe in our multisig. There are no additional tokens in the compromised hot wallet."

"Roll has apparently angered some followers by not immediately offering a full refund of the losses incurred. Instead, it has opened a $500,000 pool to “help the creators and their communities affected by this,” though details on how that pool works aren’t readily available on its site."

"We created a $750,000 fund internally to help creators and their communities affected by this. There is no single way to make this fair to all the affected parties – creators, their community, and the Uniswap LPs. We deployed the ETH to help as many communities as we could by directly buying the social money from the Uniswap pools. This was essentially a counter-trade to the attacker."

"Your balances for the 42 tokens that were affected will be compensated. Your balance on the Roll app for these tokens is currently up to date and accurate. You can continue to be LPs of the social money on Uniswap. The attacker does not hold any of the 42 tokens anymore."

"[W]e’ve spent a large portion of the last two weeks listening not only to the 42 creators that were affected, but hundreds of Roll community members that have gathered in our discord, emailed us, been vocal on twitter, hopped on a call, provided support, criticism and suggestions on how Roll can be better not only for creators, the the millions of users we wish to serve in the coming year. We see you and we hear you."

"We are significantly enhancing the security around the hot wallet key management. We are leveraging AWS provided Hardware Security Modules (HSMs) to hold the private keys to our hot wallet. The keys will not leave the HSM module but can be used to sign and send the transactions back to our blockchain services, which will then submit the transaction to the blockchain. The code that interacts with the HSM signing will be locked down both from an access control point of view and any code updates as well to provide extra security. The service will authenticate all requests via a certificate to make sure the caller is legitimate. In addition, it will only sign certain type of whitelisted transaction types such as withdraw of an ERC20 token."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Try Roll Hack
Date Event Description
March 14th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $5,700,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The new setup has the keys stored offline and sets up a multi-signature wallet, so that multiple members of the team have to sign for a withdrawal to occur. This is a significantly more secure setup.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Leaderboard (May 13, 2021)
  2. Rekt - Roll - REKT (May 16, 2021)
  3. Roll still doesn’t know how its hot wallet was hacked – TechCrunch | Business Blockchain HQ (May 18, 2021)
  4. Why Terry Crews is launching a social currency – TechCrunch (May 18, 2021)
  5. Roll - The new standard in social money (May 18, 2021)
  6. Roll Raises Another $1M to Make Money Social - CoinDesk (May 18, 2021)
  7. Roll still doesn’t know how its hot wallet was hacked – TechCrunch (May 19, 2021)
  8. Hacker Steals $5.7 Million From Social Token Startup Roll (May 19, 2021)
  9. @karma_dao Twitter (May 19, 2021)
  10. Security Incident Update - Roll - the new standard in social money (May 19, 2021)
  11. Security Incident - Roll - the new standard in social money (May 19, 2021)
  12. Social Tokens Crash After Reported Hack at Roll - CoinDesk (May 19, 2021)
  13. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  14. A $5.7 Million Crypto Heist Sent Social Tokens into Free Fall - Decrypt (Aug 11, 2021)
  15. @amanusk_ Twitter (Jul 23, 2022)
  16. https://etherscan.io/tx/0x5ebcf5b1ff3b5bf8988668b8ec89a4d3cbfcd2c10308f8b16fb44c0b7bccce3c (Jul 23, 2022)
  17. @FrankResearcher Twitter (Jul 23, 2022)
  18. https://etherscan.io/address/0x6060b77a5d8309eb36374198e197072205ea2bb3 (Jul 23, 2022)
  19. @FrankResearcher Twitter (Jul 23, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Try_Roll_Hack&oldid=3971"