Dec 2021 - Vulcan Forged Venly Wallets Breached - $140m (Global)

"NFT dApp ecosystem, game studio and marketplace. Makers of vulcanverse, powered by $PYR." "Vulcan Forged is an NFT-enabled platform that allows users to create, trade, perform, and even have a DEX where they can trade the project’s PYR and LAVA tokens."

"Designed as an easy-to-play and easy-to-build ecosystem, Vulcan Forged is a community-based project that promotes the development of world-class blockchain games by supporting developers through its development programs, incubation and crowdfunding."

"For blockchain game enthusiasts, Vulcan Forged is a one-stop-shop where they can access popular games and a huge NFT marketplace to buy and sell digital assets in-game. The entire ecosystem is powered by its own PYR settlement, staking and utility token. The ERC20 compatible PYR is a cross-platform currency that can be used in game titles that are part of the Vulcan Forged ecosystem."

"We do use Venly, which is a semi-custodial wallet solution. Venly itself is a service." "Venly is a blockchain technology provider creating tools and products to help companies benefit from blockchain technology." "Integrate our custodian wallet services and choose our Widget or Wallet API solutions to scale your business and onboard your users securely." "Authenticate using email or social and improve security enabling two-factor authentication."

On December 12th, "148 wallets holding PYR [were] compromised. Over 4.5m PYR [was] stolen. While we will replace the PYR taken, our first steps are understanding what’s happened."

"PKs of 148 wallets of users stolen." "The affected wallets are 96, not 148." "They belonged to some of the biggest investors in the platform." "We’re powerless in their removal of funds from wallets that have had their PKs stolen and funds not moved out. We are moving to a complete decentralized wallet setup. All PYR stolen will be replaced by our treasury."

"The hacker was able to access a user’s wallet because he had obtained the right to use the personal essentials." Venly's "servers, as far as we know of, are fine, and they haven't been exploited or hacked. What's happened is someone has exploited our servers, got the Venly credentials, and used it to extract the private keys of the My Forge users."

"The hacking affected Vulcan Forged’s servers, no Venly servers and solutions have been compromised." "OFFICIAL COMMUNICATION on the facts about the @VulcanForged wallet hack; no Venly servers and solutions have been compromised. We're working closely with Jamie, CEO of VF, and his team to understand the malicious attack."

"The hack appeared to be limited to Vulcan Forged’s servers, and the Venly servers and solutions remain safe and secure. The Venly team affirmed that it spent all night actively helping Vulcan Forged analyze the issue and understand what happened. Together, they continue to assess data analytics to advance fast recovery from this unfortunate event and fortify Vulcan Forged’s security strategy further."

"The attacker was able to intercept the user's PINs and exported the wallets using the credentials of Vulcan Forged on December 12. Venly also traced the export network calls back and noticed that they were all coming from servers on Vulcan Forged's IP, indicating that – from Venly’s perspective – all calls made were legitimate calls."

“After thorough research, we can confirm that all Venly B2B and B2C Wallet users outside of Vulcan Forged are safe. None of our other clients or end-users are affected,” says Tim Dierckxsens, the CEO and Co-Founder of Venly. “The Venly Team will continue to support Vulcan Forged and all its users to the best of its abilities in all transparency. We also want to emphasize the great efforts of Vulcan Forged to ensure a good outcome for all its users.”

"While the hack was in progress, Vulcan Forged CEO Jamie Thomson communicated that Venly services had been compromised on Twitter and Discord. Venly stated that it can assure all its users that this has not been the case, and Vulcan Forged CEO publicly retracted the previous statements made. In addition, the majority of PYR has already been refunded by Vulcan Forged to affected wallets from the Vulcan Forged treasury."

"The hacker had transferred the majority of the stolen dollars to the one-inch DEX to be distributed at the time of creation."

"Vulcan Forged is currently taking several initiatives to help users who lost their funds in this hack."

“We will send emails out to all Vulcan wallets affected today to get a metamask address from you. We’ll replace your PYR and LAVA from our treasury. We are removing the semi-custodial solution from the entire Vulcan ecosystem. Please give us today to get our heads around this.”

"All those who have had their funds stolen from their Vulcan wallet, please email foundation@vulcanforged.com using the email they registered. Include a metamask address to replace your funds. All development will be allocated to a new decentralized solution. We’ll recover." "All wallets will receive emails with instructions on how to setup a Metamask and your PYR will be repla[c]ed and sent there immediately."

"For those that lost other assets too, including ETH, MATIC, as this was ultimately our responsibility we will also reimburse those assets in the equivalent of PYR."

"We now have the full list of wallets compromised. You'll receive a personal email from CEO with next steps." "PYR will be sent to users from treasury to replace stolen funds starting today." "We wont close the day without all funds being replaced."

"Play-to-earn NFT platform Vulcan Forged has refunded $140 million worth of PYR tokens to nearly all investors a day after it was hacked, CoinDesk reported." "The majority of PYR has been refunded to affected wallets from the VF treasury." "All My Forge wallets have been secured. Only a few needing PYR back." "All $PYR has been replaced to users."

"We will now replace all ETH, MATIC, USDC that were stolen in addition from wallets. We'll work our way through emails one by one. Thank you again." "We have so far replaced $43888 of the non-PYR tokens that were stolen, mostly MATIC and ETH. If you've not received a reply yet, trust us we'll get to you. Stablecoins next. Taking it on the chin so we hit round 2 with renewed hunger."

"We have isolated the tokens stolen from all CEX exchanges. We are working to identify footprints." "Worth noting that all PYR that has gone to the hacker’s wallet has been flagged on all explorers. Thus, so far, 3 CEXes have frozen 100ETH." "Hacker has very limited leg room and permanent fix coming." "We want to thank @1inch, @ChangeNOW_io, @FixedFloat, @binance, @Nonceblox_, @kucoincom,@gate_io, @AscendEX_Global, @losslessdefi in helping us through this time." "Stolen funds pretty much worthless. Soon completely worthless." "If you have any $PYR liquidity on Uniswap or Quickswap, now is the time to drain it. Just saying." "If you haven’t worked it out, the hacker is panic selling into zero liquidity on dexes. Nothing changes with the buyback, development and fork."

"External Wallet Snapshot has now been taken! Do NOT buy $PYR on Uniswap, Quickswap, or any DEX. $PYR on CEXes safe to buy/trade and unaffected. ️New $PYR sent to wallets outside exchanges 1:1 over next days. CEX swap/snapshot dates to be announced by exchanges." "About time that any uncertainty regarding the $PYR hacker selling got out of the way. That's official now. DEX price is at $3, CEX is comfortably at $19,50. Do NOT buy at uniswap / quickswap DEX, the $PYR there is worthless, only use CEX." "All wallets that held $PYR at the time of the snapshot have now been sent the equivalent NEW $PYR."

"We’ll be conducting a buy back and burn once things have been settled." "All ETH recovered will be used to buy back PYR."

"As we get ready to announce what all want to hear about this hack and how it'll be dealt with, we want to tell you those who were affected by it OR didn't sell one $PYR during it will receive the 'Resilience' Achievement."

"Let’s try and regain normality." "ALL development continues. Always will. Marketplace and infrastructure will move to decentralized wallets. No goal has changed." "Going forward, of course, we're going to be usng nothing but decentralized wallets so we never have to encounter this problem again." "Decentralized infra has already begun development." "ETA for new wallet system: 2 days." "Those who knows VF history, knows this just makes us stronger." "A 100% decentralized solution was perhaps the ray of light in this." "We are emerging from this stronger and more secure. A valuable lesson."

"The #metaverse shakeout will leave only...drum roll..projects that deliver and are functional. Hack or not, we've worked too hard, grown too much and evolved too quickly to ever deviate from our vision." "The Vulcan Community showed up, shielded up and brought the fire big time. We owe you. Back to work." "This will all be over soon. And those who trust us will enjoy the next chapter."

Further Analysis

Vulcan Forge is a metaverse with multiple NFTs used in a variety of games. They offered a service called "My Forge" on their site, where they would manage user's wallets using the Venly service. Someone exploited their servers and got the private keys of the Venly wallets, however according to Venly the attack came from their own IP address. It is most likely a member of the team took the funds or was tricked into installing malware. The Vulcan Forge project has worked hard to refund all affected users the entire $140m that was taken.

How Could This Have Been Prevented?

A key feature which is missing from Venly's wallet solutions is a multi-signature setup, and from descriptions it appears that wallets were stored online (on an internet-connected computer). For proper security, all private keys should be offline and a multi-sig should be used to avoid a vulnerability of any single device or individual.

More Cryptocurrency Exchange Hacks/Scams/Frauds

Brinc Finance BRC Smart Contract rescueTokens Drain > > < < Indian Prime Minister Twitter Hacked

Sources/Further Reading

t.me/QuadrigaInitiative

/r/QuadrigaInitiative

@QuadrigaInit

info@quadrigainitiative.com

Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.

Quadriga Initiative