Addressing the USDAPY and WBTCAPY Sets Exploit

We would like to address the recent incident that has affected two Sets that were built on Set Protocol and deprecated in 2020, and provide you with the necessary information and reassurances. We understand that this may be a concerning situation, and we are committed to maintaining transparency as we work towards recovering stolen user funds.

Incident Summary

An internal Set hot wallet, which managed the deprecated ETH USD Yield Farm (USDAPY) and ETH WBTC Yield Farm (WBTCAPY) Sets was compromised by an exploiter, resulting in a direct combined loss of approximately $49,000.

Through our investigation, we uncovered that the attacker had been slowly siphoning funds from the Sets by transferring ownership of the Sets, setting the maximum streaming fee, and periodically actualizing the fees.

As of writing, these Sets have:

• USDAPY: Total Value Locked of approximately $78,000, belonging to 153 holders
• WBTCAPY: Total Value Locked of approximately $28,000, belonging to 74 holders

Actions To Date

Upon discovering the incident, we took immediate action to contain the situation and minimize the damage:

1. We froze operations of the affected Sets from Set Protocol V2, effectively preventing the hacker from extracting more value. However, this also means that users are currently unable to redeem funds contained in the Set. Please rest assured that the existing funds are safe.
2. We have confirmed that no other Sets have been, nor will be, compromised.
3. We have contacted law enforcement and are working closely with officials and centralized exchanges to ensure all funds are returned.

Hack Bounty

In an effort to resolve the situation and encourage the return of the stolen funds, we are offering the following conditions to the attacker:

• A 20% ($10K) bounty over the totality of stolen funds
• The assurance that Set will not pursue any legal action if at least 80% of the funds are returned

We urge the attacker to get in touch with us through any of the channels below to coordinate the return of the funds and avoid further escalation of this issue with law enforcement.

• Email: recovery@setprotocol.com
• Twitter: https://twitter.com/tokensets
• Discord: https://discord.com/invite/RurtmJApqm

Community Q&A

• I’m a holder of one of the above Sets; when will I be able to redeem remaining funds?

We are currently defining the best way to allow existing holders to withdraw any remaining funds without compromising their security. As part of our ongoing communication efforts, we will provide updates of any advances in this regard.

• I’m an investor in other Sets; can any of my funds be compromised?

No. As mentioned, only the above two Sets were compromised due to the Set wallet exploit. Holders of other sets can rest assured that their funds are safe.

Next Steps

Going forward, we will continue to keep our community informed of new developments in a transparent and timely manner as we work towards recovering the stolen funds. We will continue to use our main channels (Medium, Discord and Twitter) for this.

We understand that this incident may have raised concerns and questions. As always, we’re here to help and provide any necessary support. If you have any queries or need assistance, please don’t hesitate to contact us through the above channels.

We appreciate your understanding and support as we work diligently to address this issue and ensure the ongoing security of our platform.