How 1Hive Solved Domain Hijack Issue on Honeyswap

Dear Honeyswap users!

On the 9th of May, we started receiving reports from users both on 1Hive Telegram and Discord channels that their swap transactions do not return to their own wallets. Upon some investigations, we identified that transactions made on the Honeyswap frontend were, in fact, ending up in a malicious address, that of the hacker: 0xD3888a7E6D6A05c6b031F05DdAF3D3dCaB92FC5B

Immediately after receiving these reports and verifying that something was off with the transactions, we announced on all our channels not to use the Honeyswap frontend until further notice in order to identify the main source of what was happening. Additionally, we urged the users who may have used Honeyswap frontend before or during the time period we suspected to have been subject to an attack to revoke spending approvals through https://revoke.cash/ just in case.

Working around the clock to identify the source of the attack, we recognized that the Domain Provider, under which 1Hive websites we\\re registered, actually gave away the ownership of these domains to the attacker upon fake documents. Well, obviously, Web2 security sucks. This being the case, and having no means to access the domains, we had to work with the Domain Provider to give us the ownership of the domains back. As most people who have worked with these conventional companies might know, it took two days to retain the ownership.

During this period, the attacker was able to steal around $30K worth of tokens from Gnosis Chain and Polygon. Hence, after retaining the ownership of the domains, we set up a Reimburser DAO. And from this DAO, we refunded all the addresses which were affected by the hack. During the reimbursement process, we utilized Tenderly and Blockscout to make the calculations, and with the help of EVMcrispr, we were able to reimburse everyone in a timely manner.

The reason for setting up the Reimburser DAO was that we use Conviction Voting in Gardens, and it inherently has a delay function for proposals to pass while the Conviction grows. Without a prompt decision to find a way to reimburse everyone without keeping them hanging, it would take time to submit a proposal to the 1Hive Garden. Accordingly, the Reimburser DAO will be selling HNY gradually during a period of one month in order not to affect the market price, and there is going to be a proposal submitted on the 10th of June to reimburse the Reimburser DAO after calculating the amount of HNY sold to cover the users’ losses.

Lastly, we migrated our honeyswap.org, 1hive.org, and 1hive.io domains to another domain provider, and in order to prevent such Web2 vulnerability in the future, we configured our ENS domains to point to our IPFS static websites. Browsers do not support ENS domains yet, but there are nice workarounds. In fact, right now you can access our products through the following domains:

Honeyswap: https://honeyswap.1hive.eth.limo/

Celeste: https://celeste.1hive.eth.limo/#/dashboard

Gardens: https://gardensdao.eth.limo/#/home

Also, in order not to miss the latest news from 1Hive, make sure to follow our social channels:

1Hive Twitter: https://twitter.com/1HiveOrg

Honeyswap Twitter: https://twitter.com/Honeyswap

And feel free to join the conversation at Telegram and Discord!