QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$3 200 000 USD
AUGUST 2021
GLOBAL
REF FINANCE
DESCRIPTION OF EVENTS
"Swap exchanges the first selected token with the second selected token. The pools with the highest available liquidity and the lowest exchange fee will be used."
"Ref Finance is one of the core projects in the DeFi ecosystem on NEAR Protocol. Its main objective is to bring together the core components of DeFi, namely, decentralized exchange (DEX), lending protocol, synthetic asset issuer, and so on, into a single, synchronous DeFi platform. Leveraging NEAR’s 1-2 second finality, low costs, as well as its user-friendly and interoperable infrastructure, Ref aims to bring DeFi one step closer to the people."
"Ref is first and foremost a community project. A DAO has been created to allow the community to direct its course. The DAO will be responsible for managing the treasury initially, and shortly thereafter, managing upgrades of the protocol."
"Ref Finance is a collection of DeFi protocols, powered by smart contracts on NEAR, that enable trading and earning by providing liquidity and other financial use cases in the future. Currently, its main product is the automated market maker decentralized exchange (AMM DEX)."
"Ref Finance's AMM DEX enables permissionsless and automated trading between any native NEAR or bridged token through liquidity pools managed by smart contracts."
"On August 14 at around 11am UTC (block 45195764), our dev team deployed a hotfix to an issue surrounding the Ref Finance contracts. Prior to the fix, users that unstaked all of their tokens from the farm contract were unable to remove the deposited liquidity from the pool. This occurred due to the users’ NEAR account being unregistered from the LP token contract, a feature unique to NEAR tokens that generally aids the user experience."
"Shortly after the bug was deployed in block 45195764, around 1 million REF we’re withdrawn from the exchange contracts. This represents 40% of the total circulating supply of REF."
"At around 2pm UTC, the Ref core team noticed unusual behavior with the REF-NEAR pair." "While the hotfix solved [the unstaking] issue, it contained a new issue that did not debit users’ LP token balances when they removed liquidity. This allowed a small number of users to continuously remove tokens, receiving far more tokens than they should have."
"An investigation quickly identified a bug in a recently deployed hotfix to the farming contract, which unfortunately was exploited by several users." "We have determined up to 1,000,000 REF and 580,000 NEAR were affected." "In total, 507,000 NEAR and ~1 million REF tokens were withdrawn using this exploit."
"The Ref UI was taken down, and the" "contracts were immediately paused by the core team to prevent further exploits, and we have coordinated with exchanges to block the accounts involved in the incident." "The Ref team notified Binance and Huobi to pause the exploiters accounts, which they did." "We will keep the contracts paused for 48 hours while we implement the fix and ensure everything is safe."
"The #RefFinance website is undergoing system maintenance but will be back better than ever on August 21st 7:00 UTC!" "The Ref exchange will be redeployed ASAP, and will become usable again via the UI and contracts."
"The Ref team determined users’ non-REF balances before the exploit, and proposed a full reimbursement of the funds using existing Ref balances and DAO funds." "After these initial steps were taken, reimbursements for affected users were issued. A plan was also created to bring Ref back online and make it more secure." "All user funds held in Ref [were] distributed back to users. [The team published] the balances within 24 hours, and begin distributions ASAP (no action required). This [included] full balances for all tokens, except REF."
"If you control one of [the] accounts [with stolen funds], please reach out to us to return the funds via Twitter DM or Telegram @refdev. We will provide you with a generous bug bounty." "If the REF is not returned within 48 hours, we will pursue other options, such as forking the token contract and removing the offending accounts."
"So far, only 250,000 REF has been returned. Rather than wait for the remaining REF to be returned, we propose forking the REF token."
"The DAO will vote on how to handle REF. Most likely, REF will be forked using the balances from before the exploit. The new token would assume the place of the official REF token (whitelisted, liquidity rewards, governance) in the Ref ecosystem."
"Here is the proposal to fork REF token using snapshot from block 45195764. Please review and comment." "We are currently adding a new fork for $REF. Once completed, all $REF token will be airdropped Parachute back to the corresponding wallet addresses. All non-$REF tokens have been securely returned to their original wallets."
"The new REF token will be exactly the same as the current REF token, with the balances restored to those in block 45195764, during which the bug was introduced. Holders of REF during this time will receive the new REF tokens directly to their accounts, with no action required on their part."
"This will effectively undo all behavior after the snapshot. The vast majority of activity occurring with REF after this time was related to the exploit. However, there may be a small number of accounts with legitimate behavior affected."
"The new REF token will inherit all current and future attributes of the old REF token, including as the whitelisted token within the Ref exchange, as the primary liquidity incentive for the platform, and as the eventual governance token."
"The DAO will burn the 97.5% of the old REF supply it controls." "To support the new REF token, the DAO will create the new REF - NEAR pair and add liquidity to it. Liquidity will be added at the REF price prior to the exploit. The DAO currently has around 265,000 NEAR, not including the NEAR that is expected to be recovered from the exploit."
"As 1 million of $REF was improperly withdrawn, the community DAO voted to fork the $REF token and create Ref Finance v2 using the balances from block 45195764. This $REF was distributed on August 25th, and whitelisted on the redeployed Ref exchange." "[T]he ticker w[ill] remain “REF”." "The new $REF token assumes all uses of the original token, and will be treated as the only $REF token by us and our partners."
"Over 400,000 of the NEAR were sent to Binance and Huobi." "We have filed reports with local law enforcement, and these accounts have been identified and blocked at exchanges." "We've filed police reports in several jurisdictions, and are working with them and exchanges to have any exploited funds returned. We are confident they will be." "If you control any of these accounts, please reach out to return the funds. You will receive a bug bounty for helping us identify this issue!" "Thank you @binance @HuobiGlobal to work us in the first place to lock stolen funds."
"Many users have already received their tokens, and the rest will receive them by the end of the day tomorrow." "Reimbursements for all $REF tokens were processed within 3 days, after the DAO voted to reimburse the lost NEAR with funds from the DAO." "The new REF token distribution is complete." "There were in total 2,490,506.894 REF token distributed to all users' corresponding NEAR wallets. You should see it as the token with the black background as below." "The remaining 9493.106 REF token that belong to the attackers, who have not yet returned the stolen fund are burned. The current REF total supply becomes 9,990,506.894 REF."
"In addition, the Ref website and dApp were fixed, stress tested, and brought back online on Saturday, August 22. The new contracts went live on v2.ref-finance.near simultaneously." "The contracts have been rigorously tested. We will publish more details, including audit timelines (underway) very shortly."
"A huge thank you to our community for your patience. As promised, the $REF smart contract Newspaper was redeployed on the MainNet on Aug 21 w/the MainNet testing. [Ref Finance] will be officially re-launched at 12am (UTC) on Aug 23."
"We will implement a rigorous security program. This will include testing plans, audit plans and rules, and a bug bounty program with payouts of $25k+ for severe issues." "Security is our number one priority going forward."
"Any contract changes will have robust test suites created for them, including simulation tests. Additionally, we will test changes for a minimum of one week (usually much longer) manually with community partners." "A comprehensive audit was in progress before the exploit, and will soon be complete and published." "Our core team is very strong, but also small. We are hiring across the board, including engineers, designers, product, community, and more!" "We retained an admin key for a short period of time to allow our dev team to move quickly. This was never intended to be for long, and we will be transferring control of the contracts to the DAO to keep our promise to the community of being a decentralized project."
"We deeply apologize to the entire community for this." "Ref is back online now!" "Pls note that the slippage on some pools may be a bit high as some liquidity hasn't returned to normal levels, but you can add to them now! Farming rewards coming very soon!"
"Ref has been back online for just over a week, and liquidity is quickly returning. The $REF — $NEAR pair is at nearly $2M in liquidity, with $SKYWARD — $NEAR close behind (and $OCT rising quickly!)."
"We are wholeheartedly committed to setting things right again and ensuring that Ref can be a trustworthy and reliable project for our NEAR community." "No action is required from users, and we will reimburse IN FULL any permanently lost funds." "No action will be required from REF holders or LPs to receive the new token, and the original REF will of course still exist." "These are still just the first steps to restoring confidence in Ref, and we will work tirelessly to deliver the project this community deserves!"
Ref Finance offers a variety of products and services on the NEAR protocol. After releasing a "hotfix" to their protocol, a vulnerability was introduced which allowed for the theft of a significant amount of NEAR and REF tokens from their smart contract hot wallet. The REF token was forked to eliminate the stolen tokens, and the NEAR appears to have been recovered from the Binance and Huobi platforms.
It appears that all affected users were ultimately made whole again.
HOW COULD THIS HAVE BEEN PREVENTED?
Many of the measures that Ref has undertaken such as audits and bug bounties will greatly reduce the risk of future exploits, however the central issue is that all funds are in a hot system. The most secure setup would store unused funds in a multi-signature cold storage wallet held by trusted and trained operators. This could be combining with a smart contract insurance protocol or self insurance for the remaining funds.
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
@finance_ref Twitter (Aug 29)
Ref Finance (Sep 15)
Introduction - Ref Finance (Sep 15)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
@finance_ref Twitter (Sep 27)
A Post-Mortem On The Ref Finance Exploit What Happened? | by Ref Finance | Medium (Sep 27)
Fork REF token using snapshot from block 45195764 - Ref Finance (Sep 27)
Ref Finance Payouts - Google Sheets (Sep 27)
Ref.Finance came under attack, about 1 million Ref and 580,000 NEAR were affected - 律动BlockBeats (Sep 27)
