💥 Case study: Hackless MEV-powered solution migrates funds from a smart contract under attack
It’s huge! Hackless has got its first revenue-generating client. This is another proof that what we’re developing is essential for the entire DeFi world.
Recently, the VAIOT project was subject to a brutal hacker attack. Our team consulted VAIOT and shared our recent developments in the direction of Miner Extractable Value (MEV) solutions to help save a part of the project’s funds. Learn more in our post.
VAIOT combines Artificial Intelligence and blockchain technology to develop a business-oriented Intelligent Virtual Assistants portfolio. These assistants are serving both consumers and businesses as a new digital channel for selling and delivering products and services, as well as carrying out transactions. The project has its native token — VAI token — which fuels the platform and incentivises users to utilise its solutions. By staking $VAI, users earn rewards.
On 31st January 2022, the VAIOT team discovered the malicious use of their operational wallets. The attackers managed to gain full ownership over some services, which resulted in the ability to steal and sell or permanently block:
- VAI token rewards pool for pre-staking services.
- VAI token deposits for pre-staking.
- VAI/ETH and VAI/BNB liquidity staking pools with VAI rewards and token holders’ LP tokens.
The attacker managed to steal and block the project’s assets (all subject to reimbursement by the project):
- Pre-staking rewards pool (both rewards to be distributed and future rewards pool) — 3,1M VAI tokens stolen.
- Pre-staking deposits — 8,9M VAI tokens blocked permanently.
- ETH (both company-owned and token holder-owned liquidity) — 88.98 ETH stolen or blocked.
- VAI (both company-owned and token holder owned liquidity in BSC and ETH pols) — 1,9M VAI stolen or blocked.
- BNB (both company-owned and token holder-owned liquidity) — 163.61 BNB stolen or blocked.
- VAI LP staking rewards (distributed and future rewards pool) — 564K VAI stolen or blocked.
Hackless MEV-powered solution for client’s private and safe asset migration
The Hackless team became a part of our client’s crew, working hard on rescuing those assets that the hacker blocked. We contributed by offering our expertise on safely migrating assets from the contract owned and watched by the attacker. We investigated the situation and assumed that the hacker was waiting for even more liquidity before they withdrew assets. When we understood their strategy, we developed our own one with an MEV-powered solution in the center of it.
The team decided to dump the pool to zero so that the bad actor was left out with tokens of no value. It goes without saying that further re-deployment of $VAI was planned for all token holders. Additionally, as a part of the strategy, we also signed a bundle of six transactions in advance to withdraw assets from different sources. This was made via the Conductor private mining provider to avoid frontrunning by the hacker. We chose these very steps because we were sure that the hacker kept a close eye on mempools and could see the huge amount of assets being withdrawn for the dump so they could uncover our countermeasures and do frontrunning.
Together with the VAIOT team and their trusted security advisors, we designed an effective security strategy and safely migrated a part of the funds blocked by the hacker without them detecting our countermeasures.
On our side, we helped the client with our expertise and also partially by using our Conductor developments delivering private mining services.
Lesson learned, conclusions made
The VAIOT team provided a detailed overview of the hack on their Medium page so that you can dive deeper. We admire our client’s approach — they stayed collaborative open to their holders and the entire DeFi world that can learn from their experience and take preventative measures for the sake of their own projects.
Our client’s team is now recovering from the hack, already implementing their new security strategy to strengthen the platform and prevent any possible attacks from occurring in the future. This experience made the VAIOT project stronger.
We too at Hackless, gained more experience and another proof that what we’re developing is essential for the entire DeFi world. With the first revenue-generating customer in our client base, we keep on working even harder — stay tuned for updates!