88mph MPHMinter contract issue

Funds safe. Snapshots. Airdrop. Next steps.

McFly 🛹| 88mph
2 min readNov 18, 2020


There was a bug discovered in the MPHMinter contract that enables a potential attacker to steal all the ETH in the Uniswap pool. It was brought to our attention by


With his help, we have extracted the ETH into the governance multisig, so all funds are safe. The price of MPH is currently at 0 for this reason.

Governance multisig: https://app.zerion.io/0x56f34826cc63151f74fa8f701e4f73c5eaae52ad/overview

Deposits of USDC, UNI, yCRV and crvRenWSBTC are SAFE and weren’t affected by this issue. No action required there. If you want to withdraw, just ask me or Zefram by DM on Discord/TG some MPH to unlock your deposit, we’ll send them from the governance multisig.

One silver lining of all this is that because the bonds MPH rewards attacker earlier today put his $100k funds in the LP pool, it is now in the governance wallet. This economic exploit isn’t related to the MPH minter issue. It was an economic exploit temporarily patched yesterday, with a permanent patch going through our time lock contract. We have decided to distribute these funds to y’all. Details will be announced later today.

Snapshots — check your address

Update: Here is the complete snapshot that includes everyone https://gist.github.com/ZeframLou/76284245e06b8bf776440b64ce3db6fd

MPH holder snapshot: https://thegraph.com/explorer/subgraph/bacon-labs/eighty-eight-mph?query=MPH%20holders

Uniswap MPH/ETH Pool holder Snapshot: https://thegraph.com/explorer/subgraph/bacon-labs/mph-lp-snapshot?query=LP%20holders%20snapshot

UNI LP tokens staked: https://thegraph.com/explorer/subgraph/bacon-labs/mph-lp-staking-snapshot?query=lpstakers

Unclaimed MPH rewards will be distributed.

Click on the Play purple button and after that, in the central column. Then CTRL or CMD+F to check your address.

Next steps

The next steps for us will be to combine the snapshot subgraphs to create a (userAddress) => (MPH & ETH amounts) mapping. Then airdrop it. No action required from you.

Detailed announcement regarding these next steps will be published on our respective social channels later today, alongside the plan to restart the liquidity mining program with the v2.

We’ll disclose all details publicly regarding how we transferred ETH/MPH pool funds and the details of the bug with the help of Samczsun.

Thanks for your patience and really grateful for all the supporters who popped out to offer their help.