API3 is committed to maintaining the highest standards of security and transparency. We have identified a potential risk that requires action from our users’ end. Once ample time has been given to all potentially endangered parties to respond, we will publish a detailed report.
This is not related to the API3 token contract, the API3 DAO and staking pool contracts, or the Airnode request-response protocol contracts included in @api3/airnode-protocol (used by Airnode, ChainAPI, and QRNG).
It is important to note that no funds were lost and no harm occurred.
The relevant components have been redeployed with a guided fix for the issue. In the past days, all known affected users have been contacted and they have taken steps to switch over to the new deployments, successfully eliminating any known potential risk.
API3 dAPIs are permissionless to read, which is why we have no reasonable way to determine everyone who might be using our data feeds. If you have not been contacted by API3 in recent days or did not have a preexisting communications line with us, please make sure to follow the steps outlined below to utilise the newly deployed data feeds immediately.
Instructions for dAPI Users
- Go https://market.api3.org to deploy a new proxy contract for each dAPI you use.
- Update your old dAPI proxy addresses with the new ones.
- If you are using @api3/contracts or @api3/airnode-protocol-v1 as dependencies in your projects, upgrade to v1.0.1 and v3.0.0 or higher, respectively.
The data feeds referred to by the old proxies will continue being updated until Friday, December 15, 2023, after which time they will be abandoned. To reiterate, our users should not wait until then, and are strongly recommended to update their proxies as soon as possible.
Security is Our Number One Priority
The security and trust of our ecosystem partners is paramount.
We want to thank Quantstamp for their support and swift action. We also want to thank our users for acting quickly to mitigate any risk. We will continue to update the community with more details once all at risk parties have had ample time to address this concern.
For more information, please reach out to our support team in Discord or contact us at security@api3.org.
