Nutbox Report 2021-11-29

in hive-155234 •  2 months ago 

image

English Version

Hello folks. It's Monday again, time to provide new report of the Nutboxes' projects and what happened in the past week.

A couple days ago, the Nutbox Team published the second audit report.

https://medium.com/@nutbox.dao/investigation-report-about-the-attack-on-walnut-network-2-40c287a3ad54

Since the Nutbox system is a cross-chain platform built between multiple blockchains, the system needs to handle different contract management methods simultaneously and in a timely manner.

For example, Polkadot and Kusama requires users to users stake their DOT to the official Polkadot Crowdloan pallet. Absolutely no one, including the users themselves, can withdraw the staking assets while they are locked before the end of the current parachain slot auction. However, content creating blockchains such as STEEM and HIVE only requires delegations; no locking mechanism that restrict users lock their delegations to a certain contract and/or account until a specific date. Users can remove their assets as their will.

As the current design, a traditional backend is utilized to manage signing contracts. The private keys must be stored on an online server to support this process.

The management team shut down the service right after the attack. But the damage was done, and the attacker uses private transact contract from Tornado.Cash to hide his/her future transactions.

Knowing the cause is half the battle, what the team can do to provide a safer platform for the users is the most important goal in the future. The trust the Nutbox Team lost during this incident costs more than the stolen fund.

The team has provided several steps to tighten the security of the existing product in the report. Deprecate unsafe mechanism, which were found during the investigation; isolate the staking assets of each pool, even it would cost more external computation power when calculating the cToken reward.

Most importantly, the investigation is not over, will never be over. Security is a daily job for every staff working on this ecosystem. Only by doing this, we can regain our users’ trust and provide the best service we can provide and prolong the project.

At the current state, users can still use service at https://peanut.nutbox.io, and https://polkadot.nutbox.io. The original PNUT-TRX LP still operates and the new PNUT-BNB LP on BSC is delayed along with all other BSC related assets and projects.

The number one priority right now is to secure the system, give users a safe environment.

Just remember, what doesn’t kill us, makes us stronger.

Development update

Walnut front end

  1. Reconstruct the functions of Walnut products to prepare for the new launch of Walnut;
  2. Distribute the first batch of nut compensation (2 million nut in total) to the victims of walnut contract attack.

中文介绍

大家好。又到了周一,介绍坚果盒项目以及虚拟货币世界在过去的一周发生了什么的时间。

在过去的几天里,坚果盒团推公布了审计报告。

https://medium.com/@nutbox.dao/investigation-report-about-the-attack-on-walnut-network-2-40c287a3ad54

文章中提到,由于Nutbox系统是搭建在多条区块链之间的一个跨链平台,所以系统需要同时、及时处理不同的合约管理方式。

比方说,Polkadot和Kusama的平行链众货是将用户手中的$DOT或者$KSM直接质押到官方托盘上,用户本身都无法提取自己质押的资产。而向STEEM和HIVE这类的内容创作区块链,用户只需要将自己的代理“借给”某个合约或者账户。期间没有固定的定期合约,用户可以随时取消自己的委托。

根据当前的设计,核桃系统使用传统的后端来管理签署合同。 因此,私钥必须存储在在线服务器上。

管理团队在攻击发生后立即关闭了该服务。 但是损害已经造成,攻击者使用来自 Tornado.Cash 的私人交易合约来隐藏他/她后来的交易。

知道原因只是一半的战斗,团队如何能为用户提供一个更安全的平台是未来最重要的目标。 Nutbox 团队在这次事件中丢失的大家的信任比被盗资金的成本还高。

团队在报告中提供了几个步骤来加强现有产品的安全性。 其中包括弃用在调查期间发现的不安全机制;隔离每个矿池的质押资产,即使在计算 cToken 奖励时会消耗更多的外部计算能力。

最重要的是,调查和管控还没有结束,永远不会结束。 安全是每个在这个生态系统中工作的员工的日常工作。只有这样做,我们才能重新获得用户的信任,才能争取提供我们所能提供的最好的服务,并延长项目的生命。

目前,用户仍可使用 https://peanut.nutbox.iohttps://polkadot.nutbox.io 的服务。 原来的 PNUT-TRX LP 仍在运行,BSC 上的新 PNUT-BNB LP 与所有其他 BSC 相关资产和项目一并推迟。


更新日志

核桃前端

  1. 重构Walnut 产品功能,为Walnut 新品上市做准备;
  2. 向核桃合约攻击的受害者发放第一批坚果赔偿金(共200 万枚)。

【For detailed distribution rules, please refer to the document】: https://docs.nutbox.io

【Delegation manual】: https://blog.nutbox.io/@nutbox.mine/the-new-ui-of-nutbox-is-about-to-online-and-the-tutorial-of-new-ui

【Walnut tutorial】:https://nutbox-io.gitbook.io/nutbox/using-the-walnut/operation-guide


Please follow our Nutboxes' Ambassadors:

@happycapital【Korea】
@abcallen【China】
@ale.aristeguieta【Venezuela】
@bsfmalaysia【Malaysia】
@lnakuma【United States】
@timbae【Korea】


Nutbox Official: https://nutbox.io/
Peanut DeFi: https://peanut.nutbox.io/
Nutbox Parachain Slot Auction: https://polkadot.nutbox.io/#/crowdloan/kusama
Telegram: https://t.me/nutbox_defi
Discord: https://discord.gg/fbkSVvFsuG
Twitter: https://twitter.com/NutboxDao

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  ·  2 months ago 

3连送给大佬!shop

[WhereIn Android] (http://www.wherein.io)

  ·  2 months ago 

👍👍👍!shop 拍拍

  ·  2 months ago 

👍👍
like

  ·  2 months ago 

拍拍

  ·  2 months ago 

拍拍

  ·  2 months ago 

你好鸭,lnakuma!

@haoeeicc给您叫了一份外卖!

新鲜出炉的炸芋头片

吃饱了吗?跟我猜拳吧! 石头,剪刀,布~

如果您对我的服务满意,请不要吝啬您的点赞~

  ·  2 months ago 

你好鸭,lnakuma!

@boylikegirl给您叫了一份外卖!

四喜丸子

吃饱了吗?跟我猜拳吧! 石头,剪刀,布~

如果您对我的服务满意,请不要吝啬您的点赞~

  ·  2 months ago 

谢谢阿酷的周报

like

  ·  2 months ago 

坚持持有,希望不负有心人!!shop

  ·  2 months ago (edited)

你好鸭,lnakuma!

@susanli3769给您叫了一份外卖!

冰淇淋面包

吃饱了吗?跟我猜拳吧! 石头,剪刀,布~

如果您对我的服务满意,请不要吝啬您的点赞~

  ·  last month 

拍拍