Background
12/8, 8 pm, hacker itsspiderman used exploit in eCurve to mint infinite Tripool tokens and deposit as collateral in PIZZA platform, drained all valuable assets.
Afterward, the hacker created more than 1.3 million accounts and has transferred the stolen assets. The loss of the PIZZA in this attack is approximately equivalent to 5 million U.S. dollars. The distribution of stolen assets is shown below
The hacker has emptied all PIZZA assets by collateralizing $11 million TRIPOOL assets. For each lost token, the first was USDT (including OUSD, etc.) with 2 million U.S. dollars; the second was TPT, with a total of 79 million tokens, equivalent to 1.9 million U.S. dollars. In total, Pizza has lost more than 5 million U.S. dollars.
Progress on December 8, 2021
The PIZZA community has teamed up with SlowMist, bps, liquidity providers, and exchanges to conduct investigations. Currently
Progress on December 9, 2021
Several solutions
The TPT cross-chain bridge is reopening, and time is very tight. After communicating with TPT holders and officials, the following schemes are now proposed for community discussion.
Some sharings on the above solutions
TPTDAO volunteers, whales, and TP officers have discussed the solutions above. The discussions are based on maximizing the interests of TPT holders. Below are some key meeting minutes.
(1) The hacker's TPTs will be disabled and can no longer be dumped into BSC chain
(2) This transaction doesn't rely on the cooperation of PIZZA official and can be implemented promptly
(3) Nearly 2 million TPTs will be injected into TPTDAO vault
Weakness is
(1) Other related parties of this accident may condemn TP for just taking care of its investors
3. Scheme 3 is based on the premise of trusting PIZZA official. TP official helps PIZZA official to reduce losses and resume operations if applicable.
The advantage is
(1) The hacker's TPTs will be disabled and can no longer be dumped into BSC chain
(2) All borrowing interest borne by TPT depositors is waived
(3) Other victims get the loan principal returned by TPT depositors to make up for their losses
(4) PIZZA official may be rescued and re-operate
Weakness is
(1) Compared with Scheme 2, unnecessary negotiation happens, and the hacker may transfer TPTs during this period, causing significant losses to all TPT holders
(2) The ethical risk of a Pizza officer. For example, after receiving the loan principal returned by TPT depositors, Pizza officials don't act positively to make sure all the deposited TPTs return to their TPT depositors
4. There should be no TPT holders support scheme 4
Discussion period
The hacker may successfully cross-chain at any time and cause 79 million TPT to dump into BSC. TPTDAO suggests that the TPTDAO initiate a vote on December 10, 2021, and urge the TP official to implement it as soon as possible.
The proposal will vote on TPTDAO's official website, https://fans.tokenpocket.pro/, in the Chinese language. You may find the updates of this incident in the links below.
Tokenpocket Twitter: https://twitter.com/heipacker
Pizza Twitter: https://twitter.com/PizzaProFi
Telegram CN: https://t.me/pizzairCN
Telegram EN: https://t.me/PIZZAUSDE
PS: I entered the telegram group yesterday. Although I didn't know Pizza officer Guan before, I found that nearly everyone supports and trusts Guan even in this environment. Guan continues to seek solutions online for more than two days. Although Scheme 2 is the optimal solution for TPT holders, if Guan promises to comply with scheme three completely, scheme 3 could also be a good choice. Hope that everyone can work together to find the best solution for a win-win situation.