N3DR Hacking Incident Investigation Report
0xE97a
May 11th, 2022

We suffered a very painful experience. On 2022.5.10 UTC 18:40 18:42 18:54 respectively 70 million N3DRs were sold by hackers. the exact operation has been detailed by security company @Blocksec. We will also closely investigate whether it is specifically an INSIDE job.

  

But NeorderDAO guarantees in the name of God, we are the team with ambitious vision, for personal wealth is never our main goal, we still wish to establish a new order of web3 with all people who have ideals.

For the issue of privilege contract raised by the white-hat , I hope to be able to explain.

The current FOMO jackpot we in order to ensure increase the cost of cheaters to participate. We use ChainLink random number to selecting the closest random number of winners from multiple candidates list.

In the test chain, if there are too many candidate orders, such as on 40/50 will result in the chain logic of the draw that hash exceeds the BSC limit, causing no one to be able to draw, but every transfer within our contract will trigger this draw logic first. If the jackpot logic cannot be successfully run, it means that our token cannot be transferred.

As a side: The BSC chain limits the maximum amount of logic that can be done for one tx. For our FOMO contract, the uncertainty of the amount of each order and the number of historical orders determines that we cannot accurately confirm whether 40, 50 or other numbers will trigger this issue.

In order to prevent this problem from occurring after the main website goes online, we have left a privilege contract method that does not trigger the jackpot logic and is controlled by a dynamic key, which means that if the number of candidate orders in the FOMO pool exceeds the limit, the whole token will be in an untransferable and untradeable state, and then the pool will need to be emptied first and then upgraded to a new FOMO contract. We are already working on a V2 version of the FOMO pool contract, which will have more randomness and FOMO stimulation.

The current situation is that the hacker has cracked the dynamic private key by viewing the source code and continuous attack cracking, and through this private key first stole 79 million locked in team.finance at 18:40 UTC+, and then continued the attack 2 times and sold it.

After the hacker stole the token the first time has been in contact with the contract engineer, the main contract engineer is in Seoul, South Korea, who is in order to quickly online new FOMO pool, working overtime to 3:00 am Seoul time to rest, phones unfortuanatly mute, shut down the transaction rights are in the hands of the main contract engineer, and only after 10:00 woke up the first time to close the transaction rights.

Such things happen we first apologize for our carelessness, ignoring the greed and technical strength of the hackers. We also condemn the hackers for their actions, for not creating value, for ignoring people's hard work, and for making an already isolationist society even more divided, and it is their presence that makes NeorderDAO's persistence all the more necessary.

We know there is a lot of speculation that the team is doing something bad, and it's normal to have such speculation, after all, I personally think that way when I encounter other projects being attacked. But I still hope people can give us a little time to prove that all the trust and waiting is worthwhile.

Originally we wanted to announce today our identity NFT, the splendid star dome, with AR function, because we always want to go beyond ourselves and fly to the universe. At the same time there was a particularly good collaboration that we wanted to announce. We thought it would be a big day for us, but we didn't expect it to be such a result. Anyway, I am very sorry and thank you for your support. We will continue to work hard and design a compensation plan at the same time.

                                            

     

    

                                                                                                            Farkas Elke

                                                                                              And haven’t sleep for 2 days 
Arweave TX
YBqmqkUzB08Y0KYqL_Zy9t1DHUHY7U08sxOpyXAZVk0
Ethereum Address
0xE97aEb4075bbC66a53aa6430327D3B0AA74C5918
Content Digest
m8bmffsVC4_o3KsODQL4lyZ5FZetYGNJ2nVpUHPe5hY