Update on Umbrella Oracle Exploit
Dear Umbrella Community:
This is a follow-up to the Umbrella Oracle exploit that happened earlier this week on Sunday, May 8th, 2022. We have had some time to do a deeper dive into the situation, working with our internal teams and external partners, and are outlining below some of the details and subsequent plan of action.
Background & Findings
On Sunday, May 8th, hackers managed to exploit a bug in Umbrella’s Chain oracle smart contract, manipulating the price feed data of two of our First Class Data pairs, MAHA-USD and FTS-USD.
No Layer 2 Data was manipulated.
The subsequent manipulated prices were used to further exploit both MahaDAO and Fortress, respectively. Attackers made off with $2.2MM USD worth of funds from Fortress, and approximately $700K USD worth of funds from MahaDAO.
Additional details around the oracle manipulation and subsequent exploits are detailed here in our technical post mortem: here, as well as regarding the Fortress attack: here.
Upon further investigation, we identified the bug that same day and applied and deployed a hotfix to address the vulnerability.
That specific smart contract has now been fixed and will undergo a further audit in the coming days. When our Polar 2.0 contract was attacked back in March 2022, it highlighted several process flaws including smart contracts that were not audited that should have been, including the Polar 2.0 contract.
The chain contract that included the bug that was exploited by attackers to manipulate our FCD oracle data, was introduced back in August of 2021. While we were going through the process to audit all of our smart contracts and review the code, the exploit on our chain oracle contract occurred. We are currently overhauling our code review process and will lay out our plan of action in the following section.
Plan of Action & Next Steps
Compensation & Partner Support
Umbrella Network is providing compensation to Fortress of $500K in USDC and 10MM in UMB tokens, that is vesting linearly over a one-year period, to help compensate for some of the losses incurred.
We are providing Fortress $300K USDC upfront, and the remaining $200K USDC at a subsequent date if the stolen funds are not recoverable.
We are providing MahaDAO $500K in USDC and 2.5MM in UMB tokens, that is vesting over a 3-month period, with $250k USDC upfront and the remaining $250K USDC at a subsequent date if the stolen funds are not recoverable.
We are also working with a specialist outfit that focuses on helping to recover stolen funds from similar exploits, and are working closely with both MahaDAO and Fortress throughout the situation.
Both MahaDAO and Fortress continue to remain our strategic partners, and we hope during these times of challenge that our communities can come together to help support each other.
Process Improvements
Since our project was launched over a year ago, the team has been incredibly focused on developing our products & solutions and embarked on a very ambitious roadmap.
We managed to go live on 6 mainnets and rolled out not only our main oracle solution, but many additional innovative products like our Random Number Generator, our latest Passport Beta, and are currently working on several more solutions that we feel will bring a lot of value to our partners and help grow our ecosystem.
However, our overall focus on trying to innovate and deliver quickly has come with costs. Our relentless pursuit has led to process breakdowns when it came to proper and consistent peer reviews and code audits, particularly in the early days of the project in 2021 when we had a very lean team.
While we managed to change policies, with all of the new updates and code releases getting proper peer reviews and audits when necessary, there was still older code that, while flagged for review, did not get done fast enough.
As a result, we will be implementing the following changes to our overall process:
- Security Subcommittee — Effective immediately, we will be forming an internal Security Subcommittee to oversee and implement best practices. The subcommittee will be comprised of senior team members across the development team encompassing frontend, backend, SRE, blockchain, and our senior engineering manager, with the responsibility to specifically review and assess the security of our platform, solutions, tech, and codebase. Additionally, a full and comprehensive review and report of all of our code, including smart contracts, will be performed.
- Quality Assurance Testing — Umbrella will look to hire a Quality Assurance Tester to add to the engineering team.
- Slow down our development and product rollouts — Umbrella will slow down on our development and solutions rollouts in order to focus more on security and proper development processes.
- Strategic Partners — Umbrella will look to work with some strategic partners and leverage additional engineering resources and expertise.
We will provide periodic reports to the community of our newly implemented process moving forward. Also, we will be scheduling an internal AMA with Sam Kim and John Chen to address any additional questions and concerns in the coming days.
Finally, we’d like to say that while we have made some oversights in our development process, which we are now focused on improving, we still fervently believe that Umbrella has and continues to develop a great product and set of solutions that can deliver real value to all the applications out there looking for better, cheaper and more diversified data on chain. The fundamentals of the project have not changed, and we are still fully committed to delivering that vision, but we will be tempering it with more prudently placed set of processes and policies. Thanks again to our community for your continued support, as we look to bring the world’s data on chain.
