This post discloses the results of our recent security audits, vulnerabilities found, and actions taken to avoid the potential consequences of described security matters.
What happened?
At the end of July 2021, we’ve been going through a regular security audit. We perform security audits regularly for both our platforms, hiring different independent security companies. Recently we have also employed an internal security auditor. In July, we started collaborating with a new security company. As a result of this audit, we have found two vulnerabilities that could be exploited to gain access to users’ payment passwords.
One of them allowed to easily brute force weak passwords. Another one was found in the front end of our lending platform. This vulnerability could lead users to input their payment passwords into a fake form (produced and generated by the attacker), allowing them to access the user’s private key. Although both vulnerabilities were non-trivial and required substantial time, knowledge, and resources to exploit, the problem was that we had no guarantee that these vulnerabilities weren’t exploited already, and some user payment passwords weren’t obtained by bad actors. So we have decided to act proactively and ensure that all user funds are secured.
What did we do?
- First of all, we have eliminated all reported vulnerabilities.
- Then we have introduced stricter terms for user payment passwords, which means that the current password requirements are much tighter and would not allow users to use weak payment passwords from now on.
- The next move was to migrate ALL active contracts to the new escrow addresses. Those contracts identified by the security team as high risk have been a priority and, in most cases, have been migrated manually with coordination from our support team. Later on, in a brief period of time, we have developed a new migration solution. This feature allowed users to change their previous passwords to new ones and, thus, generate new escrow addresses for their existing contracts.
- Some high-risk contracts were liquidated. In total, less than 1% of all our contracts. And the majority of them were recreated later with the same conditions.
- We have switched off new contracts creation on our lending platform until we develop new extra security features, which will be a part of a more significant update called Lend 2.0.
What’s next?
We have received many requests and questions from our existing and new users when the lending platform will be relaunched.
The lending platform — lend.hodlhodl.com — will be relaunched this month, September 2021. Furthermore, we will introduce a new platform upgrade, Lend 2.0, which will contain major security and UI/UX improvements and use a different security and usability approach than the previous version.
A road map with the currently developed features and the timeline will be presented in the upcoming days, and we will appreciate the feedback from our community.
We are also determined to redesign and significantly improve our trading platform — hodlhodl.com — as many of the new features will be cross-platform (meaning that both marketplaces will work around them). However, the most important things will remain the same: Hodl Hodl will stay non-custodial, anonymous, P2P, and Bitcoin-focused.
Finally, we would like to thank our users and community members for being proactive, supportive and helping us go through these turbulent times. We are sorry for the unclear deadlines and missed timeframes. We wanted to make sure that all vulnerabilities are eliminated in the first place. We also want to apologize for all the inconveniences caused by our upgrades and lack of communication. We promise that we will improve not only technical tools but also communication skills.
Thank you!
Reach us
- Hodl Hodl trading platform: hodlhodl.com
- Lend at Hodl Hodl: lend.hodlhodl.com
- Predictions by Hodl Hodl: predictions.hodlhodl.com
- E-mail: support@hodlhodl.com
- Blog: hodlhodl.medium.com
- Twitter: twitter.com/hodlhodl
- Telegram: t.me/HodlHodl
- Reddit: hodlhodl.reddit.com
- Facebook: facebook.com/HHodl
- Youtube: youtube.com/c/HodlHodl
Hodl!
