Update On Polar Stream Exploit
Dear Umbrella Community:
This is a follow-up to the Polar Stream smart contract exploit that happened yesterday on Sunday, March 20th, 2022. The team has had some time to do a deeper dive into the situation, and we have outlined below some of the actions we have already taken in response to the exploit, as well as lay out additional next steps we are proposing to take moving forward.
Below, we will: (1) discuss the background of what happened, (2) look at the different situations that have transpired since, and (3) lay out the specific action items to address each issue.
Background & Findings
On Sunday, March 20th, 2022, bad actors managed to exploit issues with the smart contract code in our Polar Stream 2.0 staking contract on both ETH and BSC. As a result, they managed to drain both pools of all of the LP tokens that were staked in those vaults. A total of 9,011 LP tokens were taken from Polar ETH 2.0 and another 8,727 LP tokens were taken from Polar BSC 2.0. The hackers subsequently removed all the liquidity associated with those LP tokens from both the Uniswap UMB-ETH pool and the Pancakeswap UMB-BNB pool. They then sold around 2.2mm UMB tokens in the open market.
The draining of both Polar Stream staking pools has also led to another issue, which was the over-emission of rUMB2 as rewards to all stakers in the Polar Stream, particularly those on BSC. Overall, a total of 493,885 rUMB2 on ETH and 12,281,892 rUMB2 on BSC has been distributed since the rewards program started just a few days ago. As a result, especially on BSC, there is now an excess of rUMB2 that has been emitted and in users’ wallets.
As a general rule, all of our smart contracts and code is audited. However, the Polar Stream staking contract which was the one that was exploited, was missed and not re-audited. All of the 1.0 staking contracts were audited by SlowMist, including Polar 1.0. All of the 2.0 staking contracts including Hadley-Astro were audited by Certik. Unfortunately, the Polar 2.0 staking contract was not. At the onset, there was no plan to change the Polar stream smart contract for the 2.0 release, however, a decision was made to optimize for gas fees for 2.0. A very minor code change was implemented, which opened the door for the exploit.
We will discuss in the next section the steps we will be taking to both address all of these issues as well as methods to prevent this from happening in the future.
Umbrella Team Response
We will discuss the response in several sections:
1) Response and proposed next steps to the initial Polar Staking exploit
2) Response and proposed next steps to the over-emission of rUMB2
3) Plans on how to improve current processes to minimize and prevent this from happening again.
Response and Proposed Next Steps — Polar Staking Exploit
The objective is to make our contributors whole as if the exploit did not happen. To do so, Umbrella Network will buy back 2.2 million UMB tokens from the open market to counteract the excess amount of tokens dumped by the hackers. We have already started the buyback earlier today, and will look to complete the full buyback within the next 24 hours. These 2.2 million tokens we buy back, along with equivalent ETH and BNB, will be used to return liquidity back into the Uniswap UMB-ETH and Pancakeswap UMB-BNB pools. The resulting LP tokens received will be subsequently returned / distributed back to all of the original stakers on both Polar Streams. Some additional ETH or BNB will be sent to each wallet to help cover gas fees to re-stake back into Polar once we re-release the staking stream. This way, it is our hope that everyone will be made whole on their LP token holdings. Distribution of the LP tokens will start in the 1 to 2 days following the completion of the buyback and once liquidity is added back to the pools.
The fix to Polar 2.0 will be done immediately. Subsequently, all 2.0 staking contracts will now be audited by a second auditor, SlowMist, to ensure that there are no issues. Since the Hadley-Astro 2.0 staking vaults have been audited by Certik already with no major issues, those staking streams will remain online and available for staking and rewards distribution. We will be releasing a summary of the Certik audit report to the community in the coming days for full transparency. Polar 2.0 will remain offline until the audit by SlowMist is completed.
Response and Proposed Next Steps — Over-Emission of rUMB2
We have built in functionality into the rUMB2 token that allows us to freeze the token within a wallet. As a result, we have frozen all rUMB2 tokens in users’ wallets that earned rUMB2 from Polar 2.0. There are less than 50 wallets on ETH and 50 on BSC that have rUMB2 claimed. All of that rUMB2 is currently frozen, so holders are unable to transfer or swap those tokens, effectively rendering them useless. All of these rUMB2 holders must contact Umbrella Network via email at firstname.lastname@example.org with your wallet address, and a message saying you are holding claimed rUMB2. As there are less than 100 wallets, we will be able to work with each and every one of you. You will need to send back all of your rUMB2 tokens, per our instructions, and we will have a non-rUMB2 based incentive in place in return for your troubles. This will allow us to remove all excess rUMB2 tokens out of circulation, and also not have to re-issue a new rewards token contract. The excess rUMB2 returned can all be burned, or based on community feedback / vote, done with as the community sees fit.
Improving the Process
Upon review of what happened, we realize that there needs to be immediate, effective change to our policies and processes. Even though we have a policy in place for peer review and auditing of any and all smart contract updates and changes, no matter how minor, this specific code change and error slipped through the cracks, and missed both a peer review as well as the audit process. And while there were a multitude of factors that all managed to align in such a way to let this situation come to pass, the bottom line is that it still managed to happen. The most important thing we will be doing is changing our policies, so that moving forward, this never happens again. We will also be implementing a bug bounty program in the coming days to give the community a chance to help us in our code review.
While this situation is not optimal, we will use this as a learning opportunity to improve. At the end of the day, this is a containable situation, with the exploit being fixable and localized in the Polar staking contract. All other contracts, and we have now triple checked, are audited. No other staking contract is impacted, and certainly none of our core product code is affected.
Finally, we want to thank our community for your patience and support in this, as well as all of the partners, early supporters and other friends of the project that messaged us and came through with various levels of help for the team and community. Also a special thanks to Peckshield for noticing and highlighting the issue initially, as well as our auditors Certik and SlowMist, who rushed to our assistance to help analyze the situation. And a final thanks to our insurance partner and friends at UnoRe, who reached out to us before we even had a chance to notify them, and worked to immediately help us assess our staking coverage policy, which will help to partially offset some of our costs in reimbursing the community.
Please stay tuned for more updates as we work through everything and continue to improve. We take all challenges as learning opportunities to better ourselves, and this is no different. Thanks for everyone’s support, and we will continue to deliver on our commitments to our community.