Post-Exploit Options and Opportunities
Dear Linear Community,
As you all know on 21st September 2023 Linear was subjected to an exploit attack on our protocol.
What happened?
During the recent listing of ℓAAVE malicious code was entered into the contract that allowed the perpetrator to mint an infinite amount of ℓAAVE. The ℓAAVE was traded to ℓLUSD and then sold on PancakeSwap sending the market value of ℓLUSD to zero. We know who is responsible and we are working with authorities to locate the individual. We are also working with exchanges to freeze assets associated with the exploit.
What is the impact?
The creation of unlimited ℓAAVE and the trading into ℓLUSD and other liquid assets has resulted in all of Linear’s liquid assets having zero value and the halting of all functions on our protocol. Liquidations are halted and users assets remain safe, but inaccessible at this time.
What are the next steps?
We would like to present to you 4 routes that we can take to restore access to your assets and recover the protocol. It’s important to understand that each of these possible routes have been investigated at pace and at this stage we invite you to vote on further, deeper investigation, prior to deployment of any one solution. In the event that the voted solution is deemed unachievable on further investigation we will return with an explanation and present our options again. Considerable damage has been done to the protocol, regretfully none of these solutions are quick or easy fixes.
1. Permanently disable all current liquid assets and release all staked $LINA back to the community. Liquid assets are a representation of a user’s collateralized LINA. To unstake your LINA assets you would be required to trade any liquids you have bought back into LUSD, then burn the LUSD to release your LINA. By releasing all of the communities staked LINA we can effectively shortcut the process, rendering all current liquids useless. Users are reunited with assets quickly and the protocol can be rebuilt with new liquid asset contracts. Locked LINA will continue to unlock as per the schedule.
Upside: Effectively writes down debt for all users with a negative P-Ratio. Relatively quick to implement.
Downside: Requires a manual solution for users in profit, likely on a case-by-case basis.
Time Frame: Estimated 5–7 days
2. Full restoration making use of Upgradable Smart Contracts. We can reverse the drain of lUSD and all subsequent damage the hacker has caused by authorizing the DAO to adjust the smart contracts. This essentially means introducing new contract versions that keep all functionality the same but undoes all damage that occurred since the hack. The damage is reversed by deploying these new versions of the contracts and having them contain the valid state prior to the hack; it would override any damage the hacker has done from beginning to end. Any non-upgradable contracts like the liquid assets will be redeployed, and also contain the state prior to the hack.
Upside: If the drain and subsequent damage is reversed, all lost funds will be recovered, and the original state will be reinstated. All users will be fully restored to the point the drain happened having exactly the same balances.
Downside: Development Effort: Implementing this solution requires substantial work from our technical team, as well as analysts determining the state before the drain using advanced on-chain analysis tools. Potential Risks: While we aim for perfection, there’s always a risk when introducing changes to our system.
Timeframe: Estimated 3–5 weeks
3. Token Redeployment. Similar to the restoration via contract upgrade above, we would snapshot the pre-exploit state, generate all new liquid assets, including LUSD. We then create a claim portal accessible to holders of the previously held assets where they can swap from the compromised version to the new version.
Upside: Effectively restores the protocol and assets back to the state prior to the attack.
Downside: Development Effort: As per solution 2 implementing this solution requires substantial work from our technical team, as well as analysts determining the state before the drain using advanced on-chain analysis tools. Small amount of gas fees experienced during the swap.
Timeframe: Estimated 3–5 weeks
4. Initiating communication with the hacker behind the attack. We already know who the individual is and we are making attempts to reach out to them. With the assistance of the hacker it may be possible to restore the protocol to the previous state and maintain the current contracts. We would then negotiate with the hacker to reduce or remove the charges they currently face for the exploit.
Upside: Minimized disruption, swiftly restoring the protocol minimizes user inconvenience and losses.
Downside: No Guarantee of Success: Engaging with the hacker does not guarantee success. They may refuse cooperation or demand unreasonable terms, risking resource expenditure without achieving our goals. Legal and Ethical Concerns: Negotiating with a hacker raises legal and ethical questions. It could set a precedent for future attacks, posing potential risks to platform integrity.
Timeframe: To maintain a sense of urgency while allowing ample opportunity for engagement, we propose a strict time frame of one week for the hacker to come forward and engage in negotiations.
—
The above proposals have been posted to Snapshot. There is a 48hour voting period.
We would again like to stress how sorry we are for the distress this will have caused to our community and protocol users. Please be reassured that liquidations are on hold. Regardless of your currently displayed P-Ratio, you will not be liquidated. Furthermore your LINA tokens are completely safe.
Kind regards,
Linear Team
About Linear Finance
Linear Finance is a cross-chain compatible, decentralized delta-one asset protocol that allows users to get synthetic exposure to various assets, including cryptocurrency, commodities, and market indices. Users can utilize our cross-chain swap functionality to instantly swap assets across leading blockchain environments and DeFi protocols with unlimited liquidity and zero slippage.
Website | Exchange |Discord | Twitter | Announcements
