Baby Samo Genesis NFT Staking Post Mortem: Emissions Exploit Dec 27
Dear Arf Arf Army and Solana community, we would like to start by saying thank you to everyone for their support and to everyone that has helped us in handling this exploit, especially the team at SolCasino.
We took down the Baby Samo Genesis NFT staking program as soon as the emissions exploit was discovered on Dec 27, and have since recovered approximately half the BABY that was exploited. The majority of the BABY that was not recovered was sold between December 24— December 27. At this time, the two exploiter addresses hold a total of 19.6 Million BABY ($1,968 USD).
What Happened
On 12/27/21 around 1 AM PST, the Baby Samo Dev team noticed irregularities in the amount of BABY emissions from the Baby Samo Genesis NFT staking program. Upon further investigation, we discovered there were two separate addresses making multiple collections at a time from a single collection event. Approximately 242 Million BABY was exploited from the staking program in total. However, quick thinking and coordination with the SolCasino team allowed us to recover 120 Million BABY.
Shown in the snip below is an example of the transaction history for the exploit where 216,115.73 BABY was claimed multiple times from a single collection event. The attackers performed this exploit many times over the span of 5 days (12/23/21 —12/27/21). See exploiter Solana addresses below.
After we identified the exploiter addresses and confirmed the main exploiter still held over 120 Million BABY in their wallet, we added code into the Genesis NFT staking program that would withdraw 60 Million BABY from the exploiter address — only, if they interacted with the staking program again. Luckily, the main exploiter did interact with the staking program and we successfully took back 60 Million BABY.
Then, we observed the main exploiter deposit 60 Million BABY into SolCasino. We immediately reached out to the SolCasino Team via Twitter DM and notified them of the situation. After providing the exploiter’s transaction history to the SolCasino team, they agreed to lock the remaining 60 Million BABY inside their vault. Thus, preventing the exploiter from accessing the bulk of the remaining exploited BABY. We will be able to retrieve the locked funds from the SolCasino vault pending final checks and balances.
The main exploiter withdrew 185.6 Million BABY from the staking program, but the Baby Samo Team recovered 120 Million of the exploited funds from this address.
Exploiter Solana Addresses:
9N7YkXdpssYxmh1UyL9cVwRJDsV7X2saimCuRz9WkVdQ: 185.6 Million BABY ($18,560 USD) exploited but the Baby Samo team recovered 120 Million of it. This address currently holds 4,686,699 BABY ($468.67 USD).
5gHtQkmFvUgc9yPyrM1ybgHrsiUmMppGxSVJPk2Lkunp: 56 Million BABY ($5,600 USD) exploited and still holds 15 Million BABY ($1,500 USD).
How Did it Happen?
We implemented flexible emissions rates into the Genesis NFT staking program that adjust in real time whenever a Genesis NFT is burned — resulting in increased BABY emissions for the remaining holders. To achieve this we built an external database where the BABY collections were stored in. The use of an external database created a critical vulnerability that allowed users to withdraw multiple BABY collections from a single claim event. The exploiters used multiple browser tabs to collect funds at the same time.
Staking was exploited when users attempted to collect their funds using multiple tabs. Users could connect their wallet to the staking program, duplicate the browser tab over and over again, then claim the displayed collection amount in every tab. This worked because the website would pull the collection amount from the database, fulfil the collection, then update the database. The multiple tabs could read the database before it was updated.
Actions Taken
Upon discovering the emissions exploit in the Baby Samo Genesis NFT staking program, the team shut down staking instantly to prevent further losses. Next, the team traced the exploits to two addresses and went on the offensive to retrieve as much of the remaining exploited funds as possible.
We are in the process of modifying the Genesis NFT staking program to ensure this exploit, or any other, is not possible. To fix this issue staking will now have a fixed rate of 11,000 BABY per day, and collection amounts are not stored in the program. Instead, the amount of time staked from last collection is stored in the Solana program. The fixed emissions rate will be adjusted manually when Baby Samo Genesis NFT’s are burned via our “Exchange and Burn Genesis NFT for BABY” program.
Note: Emissions were at 11,000 BABY per day before the staking program was shut down, so users will receive the same emissions amount as before staking ended.
Storing the data in the Solana program instead of a database ensures that multiple tabs cannot read the last collection time until a previous transaction is finished and the last collection time is updated. When you collect, the program compares this inbuilt time to the current time to calculate the amount of BABY users can collect. The updated staking program will be released in the coming days.
Finally, we are moving to a multi-wallet structure to store the BABY staking emissions for the Baby Samo Genesis NFT’s. One wallet will be connected to the staking program and will only hold a week’s worth of BABY emissions at a time. A secondary wallet will hold the majority of the BABY allocated to the Genesis NFT’s. The wallet connected to the staking program will be “refilled” weekly by the secondary wallet. The multi-wallet structure will act as a circuit breaker, severely limiting loss potential in the event of a future exploit to the staking program.
Bug Bounty
We encourage the exploiters to reach out and begin a dialogue for the return of the remaining stolen funds. We know that you minted the Baby Samo Genesis NFT’s used to exploit the staking program, so you are clearly active participants in the Arf Arf Army to some degree. Do the right thing and return the remaining funds to the address below.
Baby Samo Address: GCqNg2gtBZMhk9fMAg18oyWa6jjQbZmL2TKK99Wr4sH2
