Addressing the Dolomite “Breach”
As many are aware in the community, our bonding curve did not go as planned. Many supporters have been asking PlutusDeFi to comment on the bonding curve experience and several of it’s issues with the launch.
We initially wanted to carry out the bonding curve due to the nature of it’s distribution, as staying in line with the philosophy and ethos in DeFi. It was our intention to have the bonding curve fairly distributed across our community. A fair chance for all to access and participate is what we envisaged. It acted as a bridge between the value the project had created from a year ago, to present day.
What actually occurred, was very far from this. We are disappointed and deflated at the past weeks of effort to execute this perfectly from our Team.
We failed in this phase and we apologise. We have learned that in the future there can never be too much concern, oversight and constant rechecking of the processes and DevOps of ourselves, service providers and partners. Reassurances should always be backed up by documentation and executions should be meticulously followed. These are the lessons we have learned.
It was in our best interest to allow time for a post-listing analysis on why problems occurred which raised complaints from our community. And to also speak with the Dolomite team to make our own assessment before we report back to the community.
Firstly, we would like to explain why we did not comment immediately. It was not clear what had just taken place at the bonding curve, with transactions to the sale executing before the agreed start time. At 1 minute 30 seconds before the official start time, the sale started prematurely. This was against the teams instructions. A script started purchasing PLT tokens in large blocks.
The bonding curve platform is solely owned and operated by Dolomite.io. We have no input or ability to control the platform, apart from pointing a subdomain to their servers.
We gave clear instructions to the Dolomite team, and they had acknowledged the pricing and tranche sizes, which was officially signed and attached to the contracts signed. The sale was set to take place at the announced time of 8AM ET/ 12PM GMT / 8PM CST. As claimed by the Dolomite team, due to sustained traffic to the sale website and DDoS attacks, they had the rebuild the infrastructure to support and the urge. PlutusDeFi also routinely checked, just 5 minutes before the start of the sale, and the Dolomite team confirmed in writing, that running bots such as Hummingbot.io and that scripts would not be possible as the API was out of date / disabled.
Now to the sale.. Transaction Analysis
A total of 1,006,563.60 was purchased by 0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe from 11:58am GMT to 11:59 GMT.
0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe 152,430.80 0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe 152,430.80 0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe 152,430.80 0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe 152,430.80 0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe 102,649.20 0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe 102,649.20 0x8fb0bd26b6d78e4642b238d94fa9a157f5524fbe 190,077.90
One on particular address which approximately 250,000 PLT was sent, it looks like individuals were gathering WETH 24 hours before the start of the sale. The PLT was also spread out to multiple addresses, with some still holding PLT and some liquidating.
A similar purchase pattern was also seen on DEC, at the beginning of their sale.
We have also analysed the same address that PLT tokens were sent to for the sale, which seems to be a manual ERC-20 address, not a smart contract, and also saw prior evidence of scripts being used during DEC’s bonding curve also on Dolomite. Unlike DMG and DEC, our allocation for the sale was always going to sell out quickly, essentially removing the competitive edge for any scripts or bots. Thus, the manipulators would need to have created an advantage by accessing the timings of the sale before anyone else in order to purchase. This can only be done within Dolomite’s platform.
At this point, we have more open questions than answers, Dolomite had explained to us their measures to keep the sale secure and orderly based on the following:
- The sale time will be hard-coded, which will ensure there is no way for any automated bots or individuals to game the start time.
- The buy demand will be in a central database before it being put on the curve on the blockchain to ensure it is orderly
- The curve being secured by API keys
With the above assurances and their experience of doing the DMG and the DEC sale on the bonded curve, we did not anticipate any of the above mentioned security will be by-passed and are now having to spend significant time doing our own analysis on the pattern of how this breach was orchestrated instead of focusing on developing the project.
Hard Coding the Start Time into the Smart Contracts
Within 10 minutes of the sale beginning, Dolomite’s team also confirmed that the time was “hard coded” into the smart contracts to start at the exact time, and that the start time could not be changed.
We later verified that the tokens were sent to an address which was not a smart contract, or from what we can derive, an address with no contract data. Due to the limited knowledge about the bonding curve software used, we were unable to foresee the internal mechanics in Dolomite.
We were operating with the understanding that the tokens would be deposited to a smart contract with a ‘hard coded’ start time, instead, it seems that the sale was triggered manually.
Below is an excerpt of the team group conversation querying Dolomite about community concerns about a bot and it’s connections to Dolomite.io, 40 minutes before the start of the sale. The Dolomite team confirmed that to their knowledge; no one has built a bot to use Dolomite and that they would need an API key to get into the sale. Furthermore the hummingbot connector had not been updated.
Putting the Buy orders on the Curve
We do not fully understand how and why the Dolomite team did not pause the sale, given there was unintended actions taking place, and being cognizant of the tokens being sold and the allocation reducing, that they did not pause the sale. It was explained to PlutusDeFi that the token allocation was kept centrally and then posted to the bonding curve manually, by the dolomite team. In the event of a breach, dolomite should have been able to realise that the sale was triggered early and stop sending token tranches to the bonding curve to purchase. This did not happen.
On July 22nd, Our team relayed an open API key found by a community member, as well as various bugs, back to the Dolomite Team. This was assumed resolved. We are still not sure if it was the same API key used to interact with Dolomite’s admin panel which was exposed on the front end. The Dolomite team were reminded multiple times regarding this vulnerability.
Until Dolomite clarify on which API key was hacked, and why they did not resolve this issue reported to them several times, we can only assume that it was this vulnerability that had been reported several times which was ignored by Dolomite.
Dolomite’s initial response
Conclusions
Dolomite’s platform is a black box, PlutusDeFi has no control other than a subdomain pointing and sending of the bonding curve tokens.
After having discussed the issues with Dolomite, we conclude that there have been serious lapses within their DevOps procedures and we strongly recommend that they get a comprehensive audit carried out by independent third parties. Furthermore, if a breach did take place, we encourage Dolomite to provide as much proof as possible to the community directly that irrefutably proves:
- The API “crack” on the front-end and DDOS attack.
- The failure of the “hard-coded” times within the “smart contract”,
- the centralised custody of PLT in Dolomite’s control and lack of documentation around the breach
All points toward serious failures by Dolomite.
We expect that these multiple lapses be addressed by the Dolomite team to the community beyond reasonable doubt regarding what happened. So far Dolomite has only acknowledged the technical lapses to us; but it needs to be a more public discussion directly coming from the team to our community addressing the loss of opportunity cost and the damage to our reputation with allegations of defrauding the bonding curve, or the fees involved in unlocking WETH and USDC on their platform.
We hope that Dolomite will do their best to recover any lost trust with our project.
Our experiences has led us to the conclusions that we strongly advise projects to very cautiously use any third party bonding curve platforms and that should be done with independent audit, as this could leave projects open to arbitrage attacks or worse, fraud; given that the pricing and structuring is private information and external parties stand to make significant financial gains by having the structure of the bonding curve.
We would like to apologise to our entire community. There was a vast amount of effort and resources to model the curve, to communicate and to effectively execute on the bonding curve sale, while also timing Uniswap and with our exchange partners. It seems like a wasted effort given that our community did not benefit from our full intentions of the bonding curve and we were not happy with the bonding curve, despite the sale selling out. It could have easily taken place on IDEX or a similar platform without the same efforts and resources being deployed by the team and the huge upset caused to our community.
We are considering taking further action, and have reached out to security organisations in the blockchain space as well as our exchange partners to track the liquidations
We hope to move on from this incident, and have decided to share our experience with other projects so that they can be aware of the potential vulnerabilities highlighted within our statement.
We wish to move forward positively with further positive announcements in the future.
