QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
SEPTEMBER 2021
GLOBAL
SECRET SWAP
DESCRIPTION OF EVENTS
"Secret Network is the first blockchain with data privacy by default, allowing you to build and use applications that are both permissionless and privacy-preserving. This unique functionality protects users, secures applications, and unlocks hundreds of never-before-possible use cases for Web3."
"As privacy graduates from a want to a necessity for users of complex Web3 applications, @SecretNetwork could be one of the sector leaders for private computation." "Secret Network is one of the first blockchains to support programmable smart contracts with privacy by default."
"SecretSwap is a protocol for swapping SecretTokens (SNIP-20s) on Secret Network. Given the encrypted nature of secret contracts, inputs to a transaction/contract are encrypted while they are on the mempool and cannot be front-run by any adversary. This ensures SecretSwap protects its users and their money from front-running attacks and privacy threats."
"Built on the principles of usability and privacy, SecretSwap provides a foundation for the open accessible financial system of the future. Our primary focus is to protect our users from value extracting players by focusing on privacy, a basic human right. SecretSwap is a liquidity hub that connects to other ecosystems for maximum user protection and access to assets." "SecretSwap also provides access to cross-chain liquidity through an Ethereum bridge, a Binance Smart Chain bridge, a Monero bridge, a Plasm bridge (in development), and reduces fees relative to Ethereum."
"PLEASE BE ADVISED: the Secret Network mainnet has updated from secret-2 to secret-3. This was not a planned upgrade; however, it was necessary in order to prevent a major loss of funds due to a critical security issue with a single contract deployed on the network."
"[N]o funds are compromised." "[S]ecret token [and] secret bridge contracts were not compromised." "[T]he protocol [and] $SCRT itself were not compromised." "[W]ith the exception of this single contract, everything seems to have worked as expected on the network."
On September 13th, "a vulnerability was exploited in a single smart contract out of the 250+ associated w/ @secret_swap. This allowed an attacker to drain funds that were locked in $SEFI staking contracts. This was discovered swiftly by our community and investigation began."
"[B]ridges were disabled to prevent funds leaving the network." The "@secret_swap [interface] was disabled." "C[entralized exchang]es disabled withdrawals and deposits." "[V]alidators [and] dev[eloper]s began discussion of mitigation options."
"It became clear the best option to protect users and secure funds immediately was a chain rollback to before the exploit. Work began immediately to export the chain, identify and test the vulnerability, and fix/secure the identified contracts. This took hours of dedicated work."
"The current state after multiple all-nighters from community members around the world (including a few 40+ hour sessions)" is that "secret-2 has been halted", "secret-3 is online and validators are reconnecting", and "bridges remain down". "{E]xchange deposits remain down."
"As the network is re-secured, we recommend you" "wait for new communication before interacting with the network & applications (all funds are now SAFU; there is no urgency to act)" and "follow Twitter and Discord to receive real-time updates". "Funds are secured and chain is updated. Please be patient as we continue to ensure stability - there’s no need for action at this time!"
"Due to the nature of the vulnerability, unclaimed rewards are no longer available. This SEFI has effectively been burned from the supply as a result of this incident." "This includes all of the SEFI rewards of our developers, as they had yet to claim prior to this occurrence. We all feel the need to rectify this issue personally."
As of September 19th, "SecretSwap is NOW back online! The Swap & Pool features are live again without further delay! The bridges, Earn, Cashback & Governance will be reactivated individually, as soon as possible, over the next few days."
As of September 23rd, "Secret bridges to and from $ETH & #BSC have had their service fully restored!"
"Huge gratitude is due to every community member (from the investigators to the network validators to the developers) who moved quickly to secure Secret Network and @secret_swap users. Their quick & focused action led to a better outcome than could otherwise have been expected!" "Thanks to all for their patience - it’s time to get back to expanding the Secret universe."
The Secret Swap platform allows exchange of Secret assets on the Secret Network (validated by Secret Agents). The bridge took advantage of Secret Smart Contract Hot Wallets as bridges. The exact breach which occurred is a Secret (no post mortem) but luckily the resulting blockchain is also being kept secret (rolled back). This means all the Secret assets weren't lost, except the Secret rewards. How many assets were at risk or lost in rewards? Well, it would appear that is also a secret.
HOW COULD THIS HAVE BEEN PREVENTED?
Storing assets in secret smart contract hot wallets developed by secret developers places you at secret risks. While this large-scale attack was rolled back so far, this secret blockchain is likely to face significant increased risks of hack, breach, and fraud in the future, as it gains popularity. Losses can be avoided through the use of simple and transparent audited smart contracts, the simplest of which is a multi-sig held by known and trusted, background-checked platform operators.
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
@SecretNetwork Twitter (Oct 2)
Home - SecretSwap (Nov 11)
Secret Network - Bringing Privacy to Smart Contracts and Public Blockchains (Nov 11)
Decentralizing Privacy: Using Blockchain to Protect Personal Data | IEEE Conference Publication | IEEE Xplore (Nov 11)
@SecretNetwork Twitter (Nov 13)
@secret_swap Twitter (Nov 13)
@MessariCrypto Twitter (Nov 13)
Welcome to SecretSwap - SecretSwap (Nov 13)
@secret_swap Twitter (Nov 13)
@SecretNetwork Twitter (Nov 13)
@secret_swap Twitter (Nov 13)
@secret_swap Twitter (Nov 13)
@secret_swap Twitter (Nov 13)
The Supernova Mainnet Upgrade is Complete! | Secret Network (Apr 29)
