Background
12/8, 8 pm, hacker itsspiderman used exploit in eCurve to mint infinite Tripool tokens and deposit as collateral in PIZZA platform, drained all valuable assets.

Afterward, the hacker created more than 1.3 million accounts and has transferred the stolen assets. The loss of the PIZZA in this attack is approximately equivalent to 5 million U.S. dollars. The distribution of stolen assets is shown below

The hacker has emptied all PIZZA assets by collateralizing $11 million TRIPOOL assets. For each lost token, the first was USDT (including OUSD, etc.) with 2 million U.S. dollars; the second was TPT, with a total of 79 million tokens, equivalent to 1.9 million U.S. dollars. In total, Pizza has lost more than 5 million U.S. dollars.

Progress on December 8, 2021
The PIZZA community has teamed up with SlowMist, bps, liquidity providers, and exchanges to conduct investigations. Currently

1. Mainstream SWAP transactions, cross-chain, and exchange deposits and withdrawals on EOS are temporarily closed to prevent hackers from transferring assets.
2. At present, the hacker's main account itsspiderman has been blocked by the bps.

Progress on December 9, 2021

1. The KYC traced through its main account itsspiderman are all fake KYC. The hacker's current IP address is overseas, and he has not responded to any negotiation needs.
2. 7,900W TPTs have been transferred to 1.4 million decentralized accounts by hackers, and the bps are currently unable to block them.
3. After one day's ban, some cross-chain bridges are reopening. Hackers may transfer 79 million TPT out at any time. Once 79 million TPT are transferred to the BSC chain, dumping and fud will cause significant losses to TPT holders.

Several solutions
The TPT cross-chain bridge is reopening, and time is very tight. After communicating with TPT holders and officials, the following schemes are now proposed for community discussion.

1. TP official ensures that all cross-chain bridges and transactions are blocked. In order to prevent hackers from smashing the market with 7900W TPT, TP should block all TPT transactions in EOS chain until this incident is resolved.
2. TP official converts TPT contract tokens into a new one and takes a snapshot at the time before hackers stole the tokens. TP directly compensates the tokens to TPT victims in this accident and charges them a 20% handling fee to enter the TPTDAO vault.
3. TP official converts TPT contract tokens into a new one and takes a snapshot at the time before hackers stole the tokens. Based on the facts that PIZZA failed to perform diligence obligations to TPT depositors, which constituted a fundamental default, TPTDAO requires TP official and PIZZA official to reach the following agreements based on friendly negotiations;
   (1) TP official converts TPT contract tokens into a new one and takes a snapshot at the time before hackers stole the tokens. TP official returns the stolen TPT directly to PIZZA.
   (2) Due to the failure of diligence obligations, PIZZA official voluntarily exempted all interest incurred for TPT depositors and returned the TPT directly to the TPT depositors' account in full after the TPT depositors returned the loan principal.
   (3) PIZZA official promises to use all the loan principal returned by TP depositors to repay the claims of the remaining creditors and accept community supervision.
4. TP official does not intervene in any way. By now, the hacker has obtained the ownership of 79 million TPTs, and no one has the right to prevent them from conducting cross-chain and trading. The TP official will continue to cooperate with PIZZA in tracing but will not prevent them from conducting cross-chain and trading.

Some sharings on the above solutions
TPTDAO volunteers, whales, and TP officers have discussed the solutions above. The discussions are based on maximizing the interests of TPT holders. Below are some key meeting minutes.

1. Scheme 1 TP will try to prevent transactions of TPT so that the Bps and Pizza official have time to trace the hacker. The risk is that once any cross-chain bridge reopens, these TPTs will be transferred to BSC within a block, and they will no longer be able to track back.
2. Scheme 2 TP has the complete initiative to solve the problem. PIZZA official lost the TPT depositors' assets, which constituted a fundamental default. TP officially came forward to eliminate the influence of hackers and protect all holders of TPT. The advantage is

(1)  The hacker's TPTs will be disabled and can no longer be dumped into BSC chain

(2)  This transaction doesn't rely on the cooperation of PIZZA official and can be implemented promptly

(3)  Nearly 2 million TPTs will be injected into TPTDAO vault

Weakness is

(1)  Other related parties of this accident may condemn TP for just taking care of its investors

3. Scheme 3 is based on the premise of trusting PIZZA official. TP official helps PIZZA official to reduce losses and resume operations if applicable.

The advantage is

(1) The hacker's TPTs will be disabled and can no longer be dumped into BSC chain

(2) All borrowing interest borne by TPT depositors is waived

(3) Other victims get the loan principal returned by TPT depositors to make up for their losses

(4) PIZZA official may be rescued and re-operate

Weakness is

(1) Compared with Scheme 2, unnecessary negotiation happens, and the hacker may transfer TPTs during this period, causing significant losses to all TPT holders
(2) The ethical risk of a Pizza officer. For example, after receiving the loan principal returned by TPT depositors, Pizza officials don't act positively to make sure all the deposited TPTs return to their TPT depositors

4. There should be no TPT holders support scheme 4

Discussion period

The hacker may successfully cross-chain at any time and cause 79 million TPT to dump into BSC. TPTDAO suggests that the TPTDAO initiate a vote on December 10, 2021, and urge the TP official to implement it as soon as possible.

The proposal will vote on TPTDAO's official website, https://fans.tokenpocket.pro/, in the Chinese language. You may find the updates of this incident in the links below.

Tokenpocket Twitter: https://twitter.com/heipacker
Pizza Twitter: https://twitter.com/PizzaProFi
Telegram CN: https://t.me/pizzairCN
Telegram EN: https://t.me/PIZZAUSDE

PS: I entered the telegram group yesterday. Although I didn't know Pizza officer Guan before, I found that nearly everyone supports and trusts Guan even in this environment. Guan continues to seek solutions online for more than two days. Although Scheme 2 is the optimal solution for TPT holders, if Guan promises to comply with scheme three completely, scheme 3 could also be a good choice. Hope that everyone can work together to find the best solution for a win-win situation.