[ACTION REQUIRED] USDAPY and WBTCAPY Updates: Funds recovery instructions and next steps

NOTE: This post is a follow up to this article, which addresses the exploit of the deprecated USDAPY and WBTCAPY Sets. For more information regarding the exploit, please refer to it.

Background Information

In response to last month’s security breach, where an exploiter compromised a Set-owned hot wallet and gained control of the ETH USD Yield Farm (USDAPY) and ETH WBTC Yield Farm (WBTCAPY) Sets, we have developed a comprehensive recovery plan to assist legitimate holders in redeeming any remaining funds from these Sets.

This blog post outlines the steps necessary to facilitate the recovery process while ensuring the attacker can no longer claim rewards or exploit the Sets further.

Funds Rescue Overview

The rescue solution involves the deployment of a Recovery Contract that existing holders can transfer their Sets to, as well as a new SetTokenCreator that only re-enables Sets to support the withdrawal of funds.

After the Sets are transferred to the Recovery Contract, Set Labs will use the new SetTokenCreator to atomically re-enable Sets, redeem them, and finally disable them again. Once this is done, users will be able to claim their share of the recovered collateral from the Recovery Contract.

The rescue process entails several steps:

1. Users deposit their Sets into the Recovery Contract by performing the Pre-Rescue Steps [Deadline: May 31st, 2023]

2. Set Labs will call the smart contract function to enable withdrawals [June 1st, 2023]

3. Set Labs will inform users that withdrawals are enabled through its social media channels [June 2nd, 2023]

4. Users will be able to perform the Post-Rescue Steps and recover funds [June 2nd, 2023 onwards]

We want to stress that after June 1st, 2023, the Set Labs Multisig will lose its owner rights over Set Protocol V2 (as outlined in this post), rendering it incapable of executing Step 2 (enabling withdrawals) after that date.

Therefore, it is crucial that users adhere to the May 31st, 2023 deadline to perform Step 1 (Pre-Rescue), as that will be the only window of opportunity to deposit their Sets into the Recovery Contract. If these actions are not performed by this date, users will NOT be able to recover their funds after withdrawals are enabled.

For Step 4 (Post-Rescue), there is no deadline and users will be able to withdraw their funds at any time as long as they executed Step 1 (Pre-Rescue) before the deadline.

ETH USD Yield Farm Set (USDAPY) Recovery Instructions

Pre-Rescue

1. To recover your ETH USD Yield Farm Sets start by following this link to the Set’s Etherscan page. This should lead you to the “readContract” section that looks like this:

2. Next, get the amount of Sets your account owns by calling “balanceOf” and passing in your address:

3. Copy the resulting value (you will want to save this value somewhere since it will be used multiple times!) and navigate to the “Write Contract” section:

4. Connect your wallet by clicking on the “Connect to Web3” button at the top of the section. Follow the prompts to connect your wallet

5. Go to the approve function and input 0x240c9Eb94fda59BD0F7B0C6fe22cf1a22EE12A94 in the “spender” field, and the amount you copied in the previous step into the “amount” field

6. Submit the transaction

7. Once the transaction has been mined navigate to the APYRescue “Write Contract” page found here

8. Make sure your wallet is still connected. If not, reconnect it the same way you did in Step 4.

9. Now navigate to the “deposit” function and again input the amount from Step 3 into the “amount” field

10. Submit the transaction

This will transfer your ETH USD Yield Farm Sets into the Recovery Contract where they will stay until redemption is initiated. You can check that everything was executed correctly by calling the “shares” function on the Recovery Contract (in the “Read Contract” section) and passing in your address. This value should match the same value copied in Step 3.

Post-Rescue

1. Return to the “Write Contract” page of the Recovery Contract here
2. Connect your wallet like you did previously
3. Call “withdrawRecoveredFunds”. There are no inputs to this function!

4. Once the transaction has mined you should see an increase in your WBTC and WETH balances!

ETH BTC Yield Farm (WBTCAPY) Set Rescue Instructions

Pre-Rescue

1. To recover your ETH BTC Yield Farm Sets start by following this link to the Set’s Etherscan page. This should lead you to the “readContract” section that looks like this:

2. Next get the amount of Sets your account owns by calling “balanceOf” and passing in your address:

3. Copy the resulting value (you will want to save this value somewhere since it will be used multiple times!) and navigate to the “Write Contract” section:

4. Connect your wallet by clicking on the “Connect to Web3” button at the top of the section. Follow the prompts to connect your wallet.

5. Go to the approve function and input 0x28fC309101eE182eD9fdCE1Bb03b6a4525924728 in the “spender” field, and the amount you copied in the previous step into the “amount” field

6. Submit the transaction

7. Once the transaction has been mined navigate to the APYRescue “Write Contract” page found here

8. Make sure your wallet is still connected. If not, reconnect it the same way you did in Step 4.

9. Now navigate to the “deposit” function and again input the amount from Step 3 into the “amount” field

10. Submit the transaction

This will transfer your ETH BTC Yield Farm Sets into the Recovery Contract where they will stay until redemption is initiated. You can check that everything was executed correctly by calling the “shares” function on the Recovery Contract (in the “Read Contract” section) and passing in your address. This value should match the same value copied in Step 3.

Post-Rescue

1. Return to the “Write Contract” page of the Recovery Contract here
2. Connect your wallet like you did previously
3. Call “withdrawRecoveredFunds”. There are no inputs to this function!

4. Once the transaction has mined you should see an increase in your WBTC balance!

Additional Support

As we work diligently to resolve this issue and support our users in redeeming their funds, we encourage you to reach out to our dedicated channels for assistance and updates throughout the process. Our team is committed to providing the necessary guidance and support to ensure a smooth recovery experience for all affected users. Please don’t hesitate to contact us with any questions or concerns you may have.

FAQ

Have you been able to recover any of the lost funds from the exploit?

No. We continue to work diligently and with third parties to recover these funds, but we have not been able to contact the exploiter to negotiate a return.

We’d like to remind the attacker that we are offering the following conditions if funds are returned:

• A 20% bounty over the totality of stolen funds
• The assurance that Set will not pursue any legal action if at least 80% of the funds are returned

Again, we urge the attacker to get in touch with us through any of the channels below to coordinate the return of the funds and avoid further escalation of this issue with law enforcement.

• Email: recovery@setprotocol.com
• Twitter: https://twitter.com/SetProtocol
• Discord: https://discord.com/invite/RurtmJApqm

Resources:

• Set Documentation