Hello folks. It's Monday again, time to provide new report of the Nutboxes' projects and what happened in the past week.
A couple days ago, the Nutbox Team published the second audit report.
Since the Nutbox system is a cross-chain platform built between multiple blockchains, the system needs to handle different contract management methods simultaneously and in a timely manner.
For example, Polkadot and Kusama requires users to users stake their DOT to the official Polkadot Crowdloan pallet. Absolutely no one, including the users themselves, can withdraw the staking assets while they are locked before the end of the current parachain slot auction. However, content creating blockchains such as STEEM and HIVE only requires delegations; no locking mechanism that restrict users lock their delegations to a certain contract and/or account until a specific date. Users can remove their assets as their will.
As the current design, a traditional backend is utilized to manage signing contracts. The private keys must be stored on an online server to support this process.
The management team shut down the service right after the attack. But the damage was done, and the attacker uses private transact contract from Tornado.Cash to hide his/her future transactions.
Knowing the cause is half the battle, what the team can do to provide a safer platform for the users is the most important goal in the future. The trust the Nutbox Team lost during this incident costs more than the stolen fund.
The team has provided several steps to tighten the security of the existing product in the report. Deprecate unsafe mechanism, which were found during the investigation; isolate the staking assets of each pool, even it would cost more external computation power when calculating the cToken reward.
Most importantly, the investigation is not over, will never be over. Security is a daily job for every staff working on this ecosystem. Only by doing this, we can regain our users’ trust and provide the best service we can provide and prolong the project.
At the current state, users can still use service at https://peanut.nutbox.io, and https://polkadot.nutbox.io. The original PNUT-TRX LP still operates and the new PNUT-BNB LP on BSC is delayed along with all other BSC related assets and projects.
The number one priority right now is to secure the system, give users a safe environment.
Just remember, what doesn’t kill us, makes us stronger.
Walnut front end
- Reconstruct the functions of Walnut products to prepare for the new launch of Walnut;
- Distribute the first batch of nut compensation (2 million nut in total) to the victims of walnut contract attack.
管理团队在攻击发生后立即关闭了该服务。 但是损害已经造成，攻击者使用来自 Tornado.Cash 的私人交易合约来隐藏他/她后来的交易。
知道原因只是一半的战斗，团队如何能为用户提供一个更安全的平台是未来最重要的目标。 Nutbox 团队在这次事件中丢失的大家的信任比被盗资金的成本还高。
团队在报告中提供了几个步骤来加强现有产品的安全性。 其中包括弃用在调查期间发现的不安全机制；隔离每个矿池的质押资产，即使在计算 cToken 奖励时会消耗更多的外部计算能力。
- 重构Walnut 产品功能，为Walnut 新品上市做准备；
- 向核桃合约攻击的受害者发放第一批坚果赔偿金（共200 万枚）。
【For detailed distribution rules, please refer to the document】: https://docs.nutbox.io
Please follow our Nutboxes' Ambassadors:
Nutbox Official: https://nutbox.io/
Peanut DeFi: https://peanut.nutbox.io/
Nutbox Parachain Slot Auction: https://polkadot.nutbox.io/#/crowdloan/kusama