The White Hat Rug Pull — Your ETH, USDC and OS Are Safe — All Is Well

4 min readOct 28, 2021

We discovered a critical bug in the Items v2 protocol.

We have already taken the steps required to secure it from exploitation by any black hat actors. However, the steps we had to take were fairly drastic, and holders, farmers and liquidity providers of $OS must take action.

Having said that, there is no urgency, funds are safe and there is no rush to act.

Ale is currently live on YouTube, explaining things and answering questions:

White Hat Rug Pull

Your ETH, USDC and OS are safe.

The exploit would have allowed a bad-faith actor to mint infinite $OS, which they then would have proceeded to dump in the open OS pools — the OS-USDC and OS-ETH pools in Uniswap v3, and the OS-ETH one in Uniswap v2.

There was no way to simply fix the bug and prevent such an attack.

Our only option was to carry out the attack ourselves.

We used the exploit to mint enough $OS, and sold it for all the ETH and USDC in those pools…

Claim Your USDC and ETH

… and now, we can redistribute all that ETH and USDC back to their rightful owners, at no loss.

To do this fairly and precisely, we took a snapshot just before we carried out the manoeuvre; however much ETH or USDC you had in one of those three pools at block 13506003 is how much you’ll be able to claim back.

This applies regardless of whether you staked via the Covenants farm or if you provided liquidity directly in Uniswap.

You can now claim your ETH and USDC here:
https://os.ethos.eth.link

Additionally, we are helping compensate you for the gas fees you’ll have to pay to claim your tokens.

If you had $OS and ETH staked in the Covenants farm, you’ll receive a bonus 0.15 ETH when you claim.

Claim Your New $OS

As mentioned above, it wasn’t possible to simply patch the exploit. We had to deploy an entirely new iteration of the Items v2 protocol.

And because $OS is the first and only Item v2, we also had to deploy and mint an entirely new $OS.

The snapshot discussed above also recorded how much $OS each wallet held or had pooled with ETH or USDC (directly or through the Covenants farm). However much you do / did is how much of the new $OS you can now claim.

You can now claim your new $OS here:
https://os.ethos.eth.link

We will help compensate you for the gas fee by giving every wallet that held at least 20 $OS at the time of the snapshot a bonus 0.02 ETH.

A farm for the New $OS, which pick up precisely where the old one left off, is here:
https://covenants.eth.link/#/farm/dapp/0x1f40DA07D23FB4c71a4268cD05828436Bfb261B4

The Silver Lining

Every problem is an opportunity. In deploying a new Items protocol, we were able to not only fix the bug, but also push through a few upgrades.

One was for decimals management. This makes it much easier for platforms like OpenSea and Rarible to correctly display the decimals for Item supplies. Basically, decimals of the Main Interface are now identical to most ERC1155 tokens.

Another introduces granularity to how Collections can be governed by hosts. Whereas before you could only have one host to govern a Collection, you can now have one to govern its metadata; another to mint new Items; another to transfer Items; another to burn Items; and another to move Items to different Collections.

There’s more to it, but you’ll be able to read everything in the documentation — which, despite what has happened, we’ll still release on November 1st.

Concluding Remarks

A different protocol was hacked yesterday, by a black hat, resulting in the loss of over $100 million.

We hope that our community will recognize how well we’ve handled this crisis. Once everyone has claimed their tokens and whole again, things will effectively be as they were before. No one will have lost any OS, ETH or USDC.

Nevertheless, we do understand that this is frustrating — to say the least. It is for us too. All of us are excited and anxious for E-Day, and it’s shit to have to endure something like this when we’re so close. But — it’s a minor setback.

In fact, it isn’t really a setback at all; we continue apace on our road map, and E-Day is not delayed. 21/11/21 is just a few weeks away.

We’re almost there.