Dear EOS Community,
This is an official announcement by EOSIO.SG, a Singapore-based BP. Since conception, we have and will always continue to dedicate ourselves to contributing to the EOS ecosystem and are honoured to be part of the BP community.
Accountability, transparency, and cybersecurity are at the core of our values as we strive to improve the EOS ecosystem and its safety for the entire community. As such, we would like to draw everyone’s attention to a recent security breach we were made aware of in the past 24 hours.
In summary, one of our testing accounts (sym111111add) was hacked on Nov-03–2018. This compromised account was subsequently used on Nov-12–2018 to misappropriate a significant volume of tokens associated with AirDropsDAC. The leadership team at AirDropsDAC subsequently authorised the publication of a Medium article, making some serious allegations against our team. We would like to assure the EOS community that we have no association with the EOS account sym111111add after it was compromised on Nov-03–2018.
A detailed timeline of events is presented below:
AirdropsDAC has contacted EOSIO.SG team on Nov-14–2018, 5:08pm(SGT)|9:08am(UTC) regarding the exploit event. The account AirdropsDAC5 was breached by hacker(s), and subsequently resulted in loss of the HVT and ZKS tokens through account sym111111add on Nov-12th 2018, which is described in their medium post. Some of the HVT Tokens were sold on NEWDEX and the profit of 2514 EOS were transferred to other accounts. For more detailed information on how their account was exploited, please contact AirDropsDAC directly as we believe it is their right to share this information in the first instance.
We have responded to AirdropsDAC in a timely manner on Nov-14–2018, 8:13pm(SGT)|12:13pm(UTC) after our preliminary investigation that the account sym111111add was exploited by hacker(s) and private key was amended on Nov-03–2018, 10:23:43 pm (SGT)| 2:23:43(UTC)(Diagram 1). However, EOSIO.SG team has not been informed regarding allegation in the medium post before a thorough investigation was conducted.
Diagram 1: Update Auth Before Attack
Facts of Exploits:
After the incidence, our team has thus conducted further internal investigations on this account sym111111add. Here are some of the facts we have found.
The account sym111111add was accidentally created on Nov-03–2018, 04:27:10 PM(SGT)| Nov by our programmer using script originally used on Testnet. The Testnet script was a public repo on Github to test FINDEX token pairs on Testnet. The public/private keys were made public temporarily between Aug-27–2018 to Nov-3–2018 before we made it private on Github. We believe that the hacker(s) has successfully acquired these keys during the window period above and further used them when he/she discovered our accident operation on Nov-03–2018, 6 hours after our mistake.
We have investigated the public key: ‘EOS7TBTmjpbYMVXCdzQZYDAyd7Pz2A63d4LD5ceb5wUmddLwSEu7R’
used by hacker. Here is a list of the accounts linked to this public key (Diagram 2). We are still conducting further investigations and reserve all our rights to release further results. We also welcome any assistance in helping us to investigate in this case.
Diagram 2: list of accounts linked to hacker‘s Public key: EOS7TBTmjpbYMVXCdzQZYDAyd7Pz2A63d4LD5ceb5wUmddLwSEu7R
Our improvements on management guidelines
We understand the critical nature of this incident and potential concerns the community may have. Therefore, we are upgrading our internal management guidelines, and will always further implement to make sure that these guidelines are compliant to the latest development of cybersecurity requirements.
As such, we would like to invite everyone to participate in a formal Q&A session to allow us to address your unanswered questions in an official and streamlined manner. The process is as follows:
- Please submit your questions to email@example.com;
- Submissions close on Friday Nov-16–2018, 12:00pm (SGT);
- An official response to each question will be published publicly on Medium by no later than 6pm on the same day.
All questions will be published anonymously as submitted via email (unless instructed otherwise by you).
Once again, we deeply regret that our oversight has resulted in one of our accounts to be compromised and subsequently used in an inappropriate manner. We will take a lot away from this incident and the frustration it has caused the AirdropsDAC team and the wider EOS community.