Nutbox Report 2021-11-29

in hive-155234 •  2 months ago 


English Version

Hello folks. It's Monday again, time to provide new report of the Nutboxes' projects and what happened in the past week.

A couple days ago, the Nutbox Team published the second audit report.

Since the Nutbox system is a cross-chain platform built between multiple blockchains, the system needs to handle different contract management methods simultaneously and in a timely manner.

For example, Polkadot and Kusama requires users to users stake their DOT to the official Polkadot Crowdloan pallet. Absolutely no one, including the users themselves, can withdraw the staking assets while they are locked before the end of the current parachain slot auction. However, content creating blockchains such as STEEM and HIVE only requires delegations; no locking mechanism that restrict users lock their delegations to a certain contract and/or account until a specific date. Users can remove their assets as their will.

As the current design, a traditional backend is utilized to manage signing contracts. The private keys must be stored on an online server to support this process.

The management team shut down the service right after the attack. But the damage was done, and the attacker uses private transact contract from Tornado.Cash to hide his/her future transactions.

Knowing the cause is half the battle, what the team can do to provide a safer platform for the users is the most important goal in the future. The trust the Nutbox Team lost during this incident costs more than the stolen fund.

The team has provided several steps to tighten the security of the existing product in the report. Deprecate unsafe mechanism, which were found during the investigation; isolate the staking assets of each pool, even it would cost more external computation power when calculating the cToken reward.

Most importantly, the investigation is not over, will never be over. Security is a daily job for every staff working on this ecosystem. Only by doing this, we can regain our users’ trust and provide the best service we can provide and prolong the project.

At the current state, users can still use service at, and The original PNUT-TRX LP still operates and the new PNUT-BNB LP on BSC is delayed along with all other BSC related assets and projects.

The number one priority right now is to secure the system, give users a safe environment.

Just remember, what doesn’t kill us, makes us stronger.

Development update

Walnut front end

  1. Reconstruct the functions of Walnut products to prepare for the new launch of Walnut;
  2. Distribute the first batch of nut compensation (2 million nut in total) to the victims of walnut contract attack.






根据当前的设计,核桃系统使用传统的后端来管理签署合同。 因此,私钥必须存储在在线服务器上。

管理团队在攻击发生后立即关闭了该服务。 但是损害已经造成,攻击者使用来自 Tornado.Cash 的私人交易合约来隐藏他/她后来的交易。

知道原因只是一半的战斗,团队如何能为用户提供一个更安全的平台是未来最重要的目标。 Nutbox 团队在这次事件中丢失的大家的信任比被盗资金的成本还高。

团队在报告中提供了几个步骤来加强现有产品的安全性。 其中包括弃用在调查期间发现的不安全机制;隔离每个矿池的质押资产,即使在计算 cToken 奖励时会消耗更多的外部计算能力。

最重要的是,调查和管控还没有结束,永远不会结束。 安全是每个在这个生态系统中工作的员工的日常工作。只有这样做,我们才能重新获得用户的信任,才能争取提供我们所能提供的最好的服务,并延长项目的生命。

目前,用户仍可使用 https://peanut.nutbox.io 的服务。 原来的 PNUT-TRX LP 仍在运行,BSC 上的新 PNUT-BNB LP 与所有其他 BSC 相关资产和项目一并推迟。



  1. 重构Walnut 产品功能,为Walnut 新品上市做准备;
  2. 向核桃合约攻击的受害者发放第一批坚果赔偿金(共200 万枚)。

【For detailed distribution rules, please refer to the document】:

【Delegation manual】:

【Walnut tutorial】:

Please follow our Nutboxes' Ambassadors:

@lnakuma【United States】

Nutbox Official:
Peanut DeFi:
Nutbox Parachain Slot Auction:

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  ·  2 months ago 


[WhereIn Android] (

  ·  2 months ago 

👍👍👍!shop 拍拍

  ·  2 months ago 


  ·  2 months ago 


  ·  2 months ago 


  ·  2 months ago 




吃饱了吗?跟我猜拳吧! 石头,剪刀,布~


  ·  2 months ago 




吃饱了吗?跟我猜拳吧! 石头,剪刀,布~


  ·  2 months ago 



  ·  2 months ago 


  ·  2 months ago (edited)




吃饱了吗?跟我猜拳吧! 石头,剪刀,布~


  ·  last month