Vulcan Forged Venly Wallets Breached

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Vulcan Forged

Vulcan Forge is a metaverse with multiple NFTs used in a variety of games. They offered a service called "My Forge" on their site, where they would manage user's wallets using the Venly service. Someone exploited their servers and got the private keys of the Venly wallets, however according to Venly the attack came from their own IP address. It is most likely a member of the team took the funds or was tricked into installing malware. The Vulcan Forge project has worked hard to refund all affected users the entire $140m that was taken.

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45][46][47][48][49][50][51][52][53][54][55][56][57][58][59][60][61]

About Vulcan Forged

[62][63][64]

"NFT dApp ecosystem, game studio and marketplace. Makers of vulcanverse, powered by $PYR." "Vulcan Forged is an NFT-enabled platform that allows users to create, trade, perform, and even have a DEX where they can trade the project’s PYR and LAVA tokens."

"Designed as an easy-to-play and easy-to-build ecosystem, Vulcan Forged is a community-based project that promotes the development of world-class blockchain games by supporting developers through its development programs, incubation and crowdfunding."

"For blockchain game enthusiasts, Vulcan Forged is a one-stop-shop where they can access popular games and a huge NFT marketplace to buy and sell digital assets in-game. The entire ecosystem is powered by its own PYR settlement, staking and utility token. The ERC20 compatible PYR is a cross-platform currency that can be used in game titles that are part of the Vulcan Forged ecosystem."

About Venly

[65][66][67]

"We do use Venly, which is a semi-custodial wallet solution. Venly itself is a service." "Venly is a blockchain technology provider creating tools and products to help companies benefit from blockchain technology." "Integrate our custodian wallet services and choose our Widget or Wallet API solutions to scale your business and onboard your users securely." "Authenticate using email or social and improve security enabling two-factor authentication."

The Reality

When storing funds with any third party, you are entrusting them to keep them safe. When using a system of custodians, there are multiple layers of failure to account for. Blockchain transactions and losses are irreversible.

What Happened

On December 12th, "148 wallets holding PYR [were] compromised. Over 4.5m PYR [was] stolen. While we will replace the PYR taken, our first steps are understanding what’s happened."

Key Event Timeline - Vulcan Forged Venly Wallets Breached
Date Event Description
December 12th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
December 14th, 2021 3:44:00 AM MST CryptoNews Reports Refunds CryptoNews reports that Vulcan Forged stated that it has already refunded the majority of affected users from its treasury[68]. They emphasized that all 'My Forge' wallets have been secured, with only a few users still requiring PYR token reimbursements. The platform plans to implement a new wallet system within two days[68]. The incident has prompted Vulcan Forged to transition to a 100% decentralized solution to prevent such attacks in the future[68]. The company clarified that the issue did not lie with its wallet solution provider, Venly, but rather with the semi-custodial wallets used by the platform[68]. At the time of reporting, PYR was trading at $21.7[68].
December 22nd, 2021 2:04:00 AM MST Santa Hackathon Article The exploit gets mention in a CryptoNews article on hacks in December including the Visor Finance hack[69].

Technical Details

Ethereum Address: [70]


"PKs of 148 wallets of users stolen." "The affected wallets are 96, not 148." "They belonged to some of the biggest investors in the platform."


"The hacker was able to access a user’s wallet because he had obtained the right to use the personal essentials." Venly's "servers, as far as we know of, are fine, and they haven't been exploited or hacked. What's happened is someone has exploited our servers, got the Venly credentials, and used it to extract the private keys of the My Forge users."

"The hacking affected Vulcan Forged’s servers, no Venly servers and solutions have been compromised." "OFFICIAL COMMUNICATION on the facts about the @VulcanForged wallet hack; no Venly servers and solutions have been compromised. We're working closely with Jamie, CEO of VF, and his team to understand the malicious attack."

"The hack appeared to be limited to Vulcan Forged’s servers, and the Venly servers and solutions remain safe and secure. The Venly team affirmed that it spent all night actively helping Vulcan Forged analyze the issue and understand what happened. Together, they continue to assess data analytics to advance fast recovery from this unfortunate event and fortify Vulcan Forged’s security strategy further."

"The attacker was able to intercept the user's PINs and exported the wallets using the credentials of Vulcan Forged on December 12. Venly also traced the export network calls back and noticed that they were all coming from servers on Vulcan Forged's IP, indicating that – from Venly’s perspective – all calls made were legitimate calls."


"The hacker had transferred the majority of the stolen dollars to the one-inch DEX to be distributed at the time of creation."


"We’re powerless in their removal of funds from wallets that have had their PKs stolen and funds not moved out. We are moving to a complete decentralized wallet setup. All PYR stolen will be replaced by our treasury."

Total Amount Lost

The total amount lost has been estimated at $140,000,000 USD.

Immediate Reactions

On December 12th, "148 wallets holding PYR [were] compromised. Over 4.5m PYR [was] stolen. While we will replace the PYR taken, our first steps are understanding what’s happened."


"PKs of 148 wallets of users stolen." "The affected wallets are 96, not 148." "They belonged to some of the biggest investors in the platform."

"We’re powerless in their removal of funds from wallets that have had their PKs stolen and funds not moved out. We are moving to a complete decentralized wallet setup. All PYR stolen will be replaced by our treasury."

"While the hack was in progress, Vulcan Forged CEO Jamie Thomson communicated that Venly services had been compromised on Twitter and Discord. Venly stated that it can assure all its users that this has not been the case, and Vulcan Forged CEO publicly retracted the previous statements made. In addition, the majority of PYR has already been refunded by Vulcan Forged to affected wallets from the Vulcan Forged treasury."


Ultimate Outcome

“After thorough research, we can confirm that all Venly B2B and B2C Wallet users outside of Vulcan Forged are safe. None of our other clients or end-users are affected,” says Tim Dierckxsens, the CEO and Co-Founder of Venly. “The Venly Team will continue to support Vulcan Forged and all its users to the best of its abilities in all transparency. We also want to emphasize the great efforts of Vulcan Forged to ensure a good outcome for all its users.”

"While the hack was in progress, Vulcan Forged CEO Jamie Thomson communicated that Venly services had been compromised on Twitter and Discord. Venly stated that it can assure all its users that this has not been the case, and Vulcan Forged CEO publicly retracted the previous statements made. In addition, the majority of PYR has already been refunded by Vulcan Forged to affected wallets from the Vulcan Forged treasury."


"Vulcan Forged is currently taking several initiatives to help users who lost their funds in this hack."

“We will send emails out to all Vulcan wallets affected today to get a metamask address from you. We’ll replace your PYR and LAVA from our treasury. We are removing the semi-custodial solution from the entire Vulcan ecosystem. Please give us today to get our heads around this.”


"All those who have had their funds stolen from their Vulcan wallet, please email foundation@vulcanforged.com using the email they registered. Include a metamask address to replace your funds. All development will be allocated to a new decentralized solution. We’ll recover." "All wallets will receive emails with instructions on how to setup a Metamask and your PYR will be repla[c]ed and sent there immediately."

"For those that lost other assets too, including ETH, MATIC, as this was ultimately our responsibility we will also reimburse those assets in the equivalent of PYR."

"We now have the full list of wallets compromised. You'll receive a personal email from CEO with next steps." "PYR will be sent to users from treasury to replace stolen funds starting today." "We wont close the day without all funds being replaced."

"Play-to-earn NFT platform Vulcan Forged has refunded $140 million worth of PYR tokens to nearly all investors a day after it was hacked, CoinDesk reported." "The majority of PYR has been refunded to affected wallets from the VF treasury." "All My Forge wallets have been secured. Only a few needing PYR back." "All $PYR has been replaced to users."

"We will now replace all ETH, MATIC, USDC that were stolen in addition from wallets. We'll work our way through emails one by one. Thank you again." "We have so far replaced $43888 of the non-PYR tokens that were stolen, mostly MATIC and ETH. If you've not received a reply yet, trust us we'll get to you. Stablecoins next. Taking it on the chin so we hit round 2 with renewed hunger."


"We have isolated the tokens stolen from all CEX exchanges. We are working to identify footprints." "Worth noting that all PYR that has gone to the hacker’s wallet has been flagged on all explorers. Thus, so far, 3 CEXes have frozen 100ETH." "Hacker has very limited leg room and permanent fix coming." "We want to thank @1inch, @ChangeNOW_io, @FixedFloat, @binance, @Nonceblox_, @kucoincom,@gate_io, @AscendEX_Global, @losslessdefi in helping us through this time." "Stolen funds pretty much worthless. Soon completely worthless." "If you have any $PYR liquidity on Uniswap or Quickswap, now is the time to drain it. Just saying." "If you haven’t worked it out, the hacker is panic selling into zero liquidity on dexes. Nothing changes with the buyback, development and fork."

"External Wallet Snapshot has now been taken! Do NOT buy $PYR on Uniswap, Quickswap, or any DEX. $PYR on CEXes safe to buy/trade and unaffected. ️New $PYR sent to wallets outside exchanges 1:1 over next days. CEX swap/snapshot dates to be announced by exchanges." "About time that any uncertainty regarding the $PYR hacker selling got out of the way. That's official now. DEX price is at $3, CEX is comfortably at $19,50. Do NOT buy at uniswap / quickswap DEX, the $PYR there is worthless, only use CEX." "All wallets that held $PYR at the time of the snapshot have now been sent the equivalent NEW $PYR."

"We’ll be conducting a buy back and burn once things have been settled." "All ETH recovered will be used to buy back PYR."

"As we get ready to announce what all want to hear about this hack and how it'll be dealt with, we want to tell you those who were affected by it OR didn't sell one $PYR during it will receive the 'Resilience' Achievement."

"Let’s try and regain normality." "ALL development continues. Always will. Marketplace and infrastructure will move to decentralized wallets. No goal has changed." "Going forward, of course, we're going to be usng nothing but decentralized wallets so we never have to encounter this problem again." "Decentralized infra has already begun development." "ETA for new wallet system: 2 days." "Those who knows VF history, knows this just makes us stronger." "A 100% decentralized solution was perhaps the ray of light in this." "We are emerging from this stronger and more secure. A valuable lesson."


Vulcan Forged, a play-to-earn NFT platform offering multiple blockchain games, a decentralized exchange, and an NFT marketplace, recently experienced a hack that resulted in the loss of around $140 million. The breach saw a hacker gaining access to the private keys of 96 'My Forge' wallets and making off with approximately 4.5 million Vulcan Forged (PYR) tokens, equivalent to 9% of the token's total supply and 23.7% of its circulating supply[68].

Vulcan Forged stated that it has already refunded the majority of affected users from its treasury[68]. They emphasized that all 'My Forge' wallets have been secured, with only a few users still requiring PYR token reimbursements. The platform plans to implement a new wallet system within two days[68].

The incident has prompted Vulcan Forged to transition to a 100% decentralized solution to prevent such attacks in the future[68]. The company clarified that the issue did not lie with its wallet solution provider, Venly, but rather with the semi-custodial wallets used by the platform[68].

The attack was possible because all private keys were held centrally on a single local network, making it a prime target for exploitation[68]. Decentralized wallets, such as multisignature wallets, are considered a more secure alternative, as they make it much more challenging to execute similar exploits[68].

While Vulcan Forged took swift action to refund affected users, the incident had a significant impact on the PYR token's price, causing it to drop by nearly 33% between December 12 and December 13[68]. At the time of reporting, PYR was trading at $21.7[68].

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

“We will send emails out to all Vulcan wallets affected today to get a metamask address from you. We’ll replace your PYR and LAVA from our treasury. We are removing the semi-custodial solution from the entire Vulcan ecosystem. Please give us today to get our heads around this.”

Ongoing Developments

"The #metaverse shakeout will leave only...drum roll..projects that deliver and are functional. Hack or not, we've worked too hard, grown too much and evolved too quickly to ever deviate from our vision." "The Vulcan Community showed up, shielded up and brought the fire big time. We owe you. Back to work." "This will all be over soon. And those who trust us will enjoy the next chapter."

Individual Prevention Policies

The issue only affected users of the "My Forge" service who had chosen to entrust both Vulcan Finance and Venly with the security of their funds. For these users, they took a risk of having to trust that both entities would act responsibly and maintain the security of their accounts. Clearly, this was not the case.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

A key feature which is missing from Venly's wallet solutions is a multi-signature setup, and from descriptions it appears that wallets were stored online (on an internet-connected computer). For proper security, all private keys should be offline and a multi-sig should be used to avoid a vulnerability of any single device or individual. All platforms which store user funds need to be properly secured.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

A key feature which is missing from Venly's wallet solutions is a multi-signature setup, and from descriptions it appears that wallets were stored online (on an internet-connected computer). For proper security, all private keys should be offline and a multi-sig should be used to avoid a vulnerability of any single device or individual. All platforms which store user funds need to be properly secured.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Vulcan Forged - REKT (Jan 3, 2022)
  2. @VulcanForged Twitter (Jan 4, 2022)
  3. @VulcanForged Twitter (Jan 4, 2022)
  4. @VulcanForged Twitter (Jan 4, 2022)
  5. PYR Wallet Compromise Drama, Over 4.5m PYR Missing - Bitcoin World (Jan 4, 2022)
  6. AMBCrypto (Jan 4, 2022)
  7. NFT Market Vulcan Forged Hacked: Over 4.5 Million PYR has been Stolen | CoinCodeCap (Jan 4, 2022)
  8. @VulcanForged Twitter (Jan 4, 2022)
  9. @VulcanForged Twitter (Jan 4, 2022)
  10. @VulcanForged Twitter (Jan 4, 2022)
  11. @VulcanForged Twitter (Jan 4, 2022)
  12. @VulcanForged Twitter (Jan 4, 2022)
  13. @VulcanForged Twitter (Jan 4, 2022)
  14. @VulcanForged Twitter (Jan 4, 2022)
  15. @VulcanForged Twitter (Jan 4, 2022)
  16. @VulcanForged Twitter (Jan 4, 2022)
  17. @VulcanForged Twitter (Jan 4, 2022)
  18. Vulcan Forged refunds $140M to community members after hack | Bankless Times (Jan 4, 2022)
  19. @Venly_io Twitter (Jan 4, 2022)
  20. Venly - Venly informs of Vulcan Forged hack with at least 96 Vulcan Forged wallets affected (Jan 4, 2022)
  21. @VulcanForged Twitter (Jan 4, 2022)
  22. @VulcanForged Twitter (Jan 4, 2022)
  23. @VulcanForged Twitter (Jan 4, 2022)
  24. @VulcanForged Twitter (Jan 4, 2022)
  25. @VulcanForged Twitter (Jan 4, 2022)
  26. @VulcanForged Twitter (Jan 4, 2022)
  27. @VulcanForged Twitter (Jan 4, 2022)
  28. @VulcanForged Twitter (Jan 4, 2022)
  29. @VulcanForged Twitter (Jan 4, 2022)
  30. @ChrisRomanoC Twitter (Jan 4, 2022)
  31. @VulcanForged Twitter (Jan 4, 2022)
  32. @VulcanForged Twitter (Jan 4, 2022)
  33. @VulcanForged Twitter (Jan 4, 2022)
  34. @VulcanForged Twitter (Jan 4, 2022)
  35. @VulcanForged Twitter (Jan 4, 2022)
  36. @VulcanForged Twitter (Jan 4, 2022)
  37. @VulcanForged Twitter (Jan 4, 2022)
  38. @VulcanForged Twitter (Jan 4, 2022)
  39. @VulcanForged Twitter (Jan 4, 2022)
  40. @VulcanForged Twitter (Jan 4, 2022)
  41. @VulcanForged Twitter (Jan 4, 2022)
  42. @VulcanForged Twitter (Jan 4, 2022)
  43. @VulcanForged Twitter (Jan 4, 2022)
  44. @VulcanForged Twitter (Jan 4, 2022)
  45. @VulcanForged Twitter (Jan 4, 2022)
  46. @VulcanForged Twitter (Jan 4, 2022)
  47. @VulcanVerse Twitter (Jan 4, 2022)
  48. @VulcanForged Twitter (Jan 4, 2022)
  49. @VulcanForged Twitter (Jan 4, 2022)
  50. @VulcanForged Twitter (Jan 4, 2022)
  51. https://medium.com/@jaapsh/token-swap-for-dummies-pyr-be1f568a191d (Jan 4, 2022)
  52. @egamers_io Twitter (Jan 4, 2022)
  53. @VulcanForged Twitter (Jan 4, 2022)
  54. https://coinmarketcap.com/headlines/news/gaming-project-vulcan-forged-loses-140-million-from-customers-private-keys/ (Jan 4, 2022)
  55. https://coinmarketcap.com/headlines/news/96-private-keys-stolen-from-vulcan-forged-in-140-million-theft/ (Jan 4, 2022)
  56. @BitrueOfficial Twitter (Jan 4, 2022)
  57. @VulcanForged Twitter (Jan 4, 2022)
  58. @VulcanForged Twitter (Jan 4, 2022)
  59. @VulcanForged Twitter (Jan 4, 2022)
  60. @VulcanForged Twitter (Jan 4, 2022)
  61. @losslessdefi Twitter (May 8, 2022)
  62. https://vulcanforged.com/ (Jan 3, 2022)
  63. https://vulcanforged.com/About/Index (Jan 4, 2022)
  64. https://coinmarketcap.com/currencies/vulcan-forged-pyr/ (Jan 4, 2022)
  65. Venly | Home (Jan 4, 2022)
  66. Venly - Wallet solutions (Jan 4, 2022)
  67. Venly - About us (Jan 4, 2022)
  68. 68.00 68.01 68.02 68.03 68.04 68.05 68.06 68.07 68.08 68.09 68.10 68.11 68.12 68.13 Hacked Vulcan Forged Says It Has Refunded 'the Majority' of Affected Users - CryptoNews (Dec 1, 2022)
  69. Santa Hackathon? Visor Finance Marks 7th Hack in December - CryptoNews (Dec 1, 2022)
  70. Address 0x48ad05a3b73c9e7fac5918857687d6a11d2c73b1 | Etherscan (Jan 4, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Vulcan_Forged_Venly_Wallets_Breached&oldid=4996"