Introducing Wrapped LEO V2 | Secure Architecture and Long-Term Plans
On October 12th, our WLEO-ETH liquidity pool was attacked by a known Ethereum-based attacker. We linked the attacking address to a ring of other addresses which pulled off similar attacks (and others). This address continues to launder hundreds of stolen ETH per day through Binance despite widespread reporting and message boards asking Binance to investigate and block this address and its associated ring of accounts.
On that date, our pool had reached $450k USD in total liquidity. It was an incredible rise as we blew past any expectations that we had set prior to the launch of Wrapped LEO. If you want to learn more about the WLEO liqudity pool attack, how it happened, our investigation into the issues/attacker and more, please read the WLEO Attack Whitepaper we published.
Wrapped LEO is Officially Relaunching on November 12th Around 8 AM CST
Why Wrapped LEO is Important
We've talked about this numerous times and many in the community already have a firm grasp of why WLEO is so vital for us. Hive-Engine is a niche exchange within a niche blockchain. There are plenty of Hive users who don't understand what Hive-Engine is or how to use it and that speaks volumes (pun intended) to the liquidity issues and user-friendliness of the second layer on Hive.
An effort is being made to either deliver on SMTs or a decentralized version of Hive-Engine. Regardless of the outcome, our community has grown far beyond the capabilities of Hive-Engine in its current form and we need to branch out to other platforms for a variety of reasons. For the past few months, we've built our own UI from the ground up and subsequently launched a number of onboarding updates to make it easier than ever to sign up to LeoFinance (and Hive).
With all of these efforts, outside attention has become increasingly important. LeoFinance is an attention-based platform. We need more users and our goal has always been to onboard the masses to our platform and the Hive blockchain. Wrapped LEO brings about a number of benefits that bring our economy to greater heights:
- Trading volume
- Pegging our token price to ETH
- Accessibility to other Ethereum-based projects
- Easy on/offramp for our recent LeoInfra integrations
- Decentralized exchange listings and centralized exchange listings
Before the attack on wLEO V1, we were in talks with a major CEX to list WLEO to bring a whole new group of investors and users to our platform. That obviously had to take a backseat as we investigated and solved the issues that led to the attack. Additionally, we were working with a few different ETH-based projects on various forms of collaboration to cross-pollinate the LeoFinance user base with their user bases.
Collaboration is the key to growth. We're working overtime to deliver on the best onboarding experience the Hive blockchain has ever had. You can sign up to LeoFinance.io in less than 30 seconds using a Metamask wallet and soon, you'll be able to do the same with other blockchain-based wallets in addition to major web2 apps: Twitter, Google and Facebook.
These integrations, however, are useless without marketing, collaboration and eyeballs. Our goal has always been to bring a new wave of attention and development to our project and the entire Hive ecosystem. I think we've done a great job in delivering on this so far, but we still have much work to do. Wrapped LEO is a necessary component in the vision we have moving forward as we aim to onboard thousands, tens of thousands and hundreds of thousands of new users.
WLEO 2: Security From the Ground Up
The relaunch of Wrapped LEO will bring an exponentially greater level of security to the ecosystem. In this post, we'll cover the 4 most important measures that we've taken to ensure a highly secure, robust and future-proof version of WLEO that we can leverage for the benefits we discussed in the previous section.
Max Total Supply
Under the previous model, Wrapped LEO operated with a mint & burn token distribution. When a user wrapped LEO into WLEO, they were issued brand new WLEO tokens from the minting contract.
The attack on WLEO1 was an attack on this minting function. The hacker was able to mint unlimited WLEO because they gained access to the minting new token functionality. This allowed them to take that falsely minted WLEO and swap it into the Uniswap pool to get ETH.
With WLEO2, we've introduced a max token supply model which utilizes a send/receive model. This is more in-line with how other crypto tokens function.
Having a max supply gives us a lot of advantages. In terms of security, it vastly reduces risk since new tokens cannot be accessed in any way, shape or form. It makes the attack that happened previously entirely impossible (since new tokens cannot be minted using the contract address). It also minimizes any damage if a different attack happened in the future (more on this in the Cold Storage section of this post).
Other advantages - which we may explore in a separate post later on - are around partnerships, exchange listings and data aggregators. You may remember that WLEO1 had issues with data aggregators and how they displayed relevant info about our token. This was largely due to the infinite supply.
The final advantage I'll mention here is around new token hodlers and their desire to become a liquidity provider (people outside of the Hive ecosystem). We drummed up a lot of attention for Wrapped LEO both within the Hive ecosystem and within the Ethereum eocsystem. Many of these new potential users/investors had concerns over the "infinite" supply of WLEO - under the mint/burn model.
No More Minting
As you can see in the above screenshot, WLEO has a max supply of 10,000,000 (10M) tokens.
This new model with a limited token supply will cover these concerns along with bringing much needed security and usability.
To prove that no other tokens can be minted, we utilized the contract address to try and mint more tokens above 10M. This essentially simulates the attack that happened on WLEO V1 - since the attacker gained access to the contract key and then minted WLEOs to their account - when trying to mint 1 WLEO under the new contract, we got this error:
No more tokens can be minted from the contract. Now, the security relies on a cold/hot wallet management system (more on that below).
The 10M token number was chosen for a number of reasons. The current circulating supply of native LEO is ~6M tokens. If you include the dev stake/bounty fund (which are minted slowly on the Hive blockchain over the course of several years), then we're right around 9M-10M tokens.
This coupled with the inflationary aspect of LEO means that our token supply will likely reach 10M in about 1.5-2 years.
Having a max supply of 10M WLEO means that 10M LEO can be wrapped. No more than that can ever be wrapped (under this version of WLEO). We can expect that a significant amount of this supply will remain staked on the Hive blockchain thanks to curation rewards and a variety of other reasons.
The interesting dynamics between curation (staking) APY and liquidity providing (LP) APY will also take effect. The more LEO that gets wrapped, the less competition for curation rewards. This will create a dynamic relationship between the amount of LEO that gets wrapped versus the amount of LEO that stays staked on the Hive blockchain.
We will likely never utilize the full 10M WLEO. Which leads us into the next two sections about where the WLEO is being stored and why we took such significant measures to put these in place.
In order to operate the Wrap/Unwrap oracle aspect of WLEO (allowing users to Wrap LEO into WLEO and unwrap WLEO back into native LEO), we need to have a hot wallet.
Under the old model of WLEO, the hot wallet was actually the minting address. This means that when a user wrapped tokens, they were issued tokens utilizing the private key of this minting address. The attacker exposed the greatest flaw in this system and took control of this minting address which allowed them to mint unlimited WLEO.
In exploring new models for WLEO and investigating other aspects of security measures, we took notes from the largest exchanges in the crypto space. The way they operate is by utilizing hot wallets which carry enough funds to handle day-to-day transactions. They then store the majority of user funds in cold wallets to avoid attacks.
When an exchange gets hacked, they usually get their hot wallet hacked while their cold wallet remains secure. This means that the majority of funds are still securely stored even though a major hack has taken place.
With our new model, a hot wallet has been created which will hold just enough WLEO to conduct day-to-day transactions. There are currently about 1.2M LEOs liquid on the Hive blockchain. The WLEO hot wallet currently holds 1M WLEO which we predict will be enough for launch day and likely a few days/weeks afterwards. Once this balance starts to get low, it will be refilled with a small amount of WLEOs to continue servicing wraps by an offline cold wallet token transaction.
When a user wraps LEO into WLEO, they'll send their LEO to our oracle account on the Hive blockchain and they will receive WLEO from our hot wallet on the ETH blockchain.
When a user unwraps WLEO into LEO, they'll send their WLEO to our cold wallet on Ethereum and receive LEO from out hot wallet (oracle) account on the Hive blockchain.
While many other security measures have been put in place to avoid attacks on the hot wallet altogether, the hot/cold storage dynamic is one of the most vital aspects of this new version. With this dynamic in place, an attack event would have a minimal impact on the WLEO economy. This caps the amount of damage that can be caused by a security breach.
An additional measure was taken to protect against double spends (WLEO unwraps are sent to our cold wallet instead of the hot wallet). Again, as the funds in the hot wallet run low, an offline TX will be created to refill the wallet with an operating amount of WLEOs.
A small amount of WLEO will be held in the hot wallet to conduct day-to-day operations. The rest of the WLEO supply will be held in deep cold storage which will only be accessed when the hot wallet needs to be loaded with more WLEO.
This means that the cold wallet will actually never be used for online transactions. All of the actions of the cold wallet happen offline. The following diagram depicts the important relationship between cold and hot wallets as it relates to exchanges and how they operate (which also now applies to Wrapped LEO and how it operates):
Going based on the previous WLEO numbers, we expect around 600k-900k LEO to get wrapped within the first month. The hot wallet will hold 1M WLEO tokens at launch and the remaining 9M WLEO will be held in this offline, cold storage wallet.
After a few months (or whenever the hot wallet runs low on WLEO), we'll send additional WLEO to the hot wallet by using projected numbers to assume day-to-day usage of WLEO. The goal is to keep just enough in the hot wallet to operate but keep the amount as low as possible so that in the event of an attack, the damage that can be caused is very minimal (imagine, ~200k WLEOs at risk in the hot wallet at any given time whereas the previous attack leveraged tens of millions of WLEOs which were printed out of thin air).
Wallets Then vs. Wallets Now
To summarize this vital difference in the WLEO V1 setup vs. the WLEO V2 setup, here are the various wallets involved in each version and what permissions they held. This exposes the major flaw in WLEO V1 and showcases 1 of the main aspects of WLEO V2 security:
WLEO V1 Wallet Setup:
Address #1 (ETH) - Contract Creator:
- Function: launch the WLEO contract and serve as the minting address/oracle for WLEO
- Permissions: pause the contract, mint unlimited WLEO
Address #2 (HIVE)- @wrapped-leo Oracle:
- Permissions: Custody LEO tokens on Hive, Send/Receive native LEO during wrapping and unwrapping
WLEO V2 Wallet Setup:
Address #1 (ETH) - Contract Creator:
- Function: initial launch of the WLEO smart contract
- Permissions: pause the contract
- Key difference: has no other permissions. If this address is attacked, it has no WLEO in its wallet and can't mint any new WLEO (since the supply is fixed and 100% has been minted to the cold wallet)
Address #2 (ETH) - Hot Wallet:
- Function: serve as the WLEO oracle
- Permissions: send WLEO to a user when they wrap LEO
- Key difference: this wallet cannot mint WLEO. Only send what is in its available balance. Similar to exchanges, this wallet only has enough WLEO to operate day-to-day which mitigates possible damage from any attack
Address #3 (ETH) - Cold Wallet:
- Function: serve as the custodian of inactive WLEO tokens and recipient of unwraps
- Permissions: store inactive WLEOs and send those WLEOs by using an offline tx when the hot wallet is low on funds
Address #4 (HIVE) - @wrapped-leo Oracle:
- Function: serve as the custodian of native LEO tokens for wrap and unwrap operations
- Permissions: hold, send and receive LEOs whenever a user wraps or unwraps tokens
We had several developers run security audits on the various aspects of Wrapped LEO 2. This includes our original audits on how the previous version was attacked as we had to do in-depth analyses on all the various aspects of that version in order to pinpoint what caused the attack specifically.
Utilizing that, we designed the new and highly secure version of WLEO with the security measures mentioned in this post and more. These initial audits were extremely valuable.
Over the past several days, we've had a number of devs run audits on the new Wrapped LEO and surrounding architecture including the oracle node, the front end and the ETH contract itself.
These audits were run by a few devs on the Hive blockchain and also a non-Hive code auditor with no relation to our projects or other developers. The goal of these audits was to outline the potential attack vectors for Wrapped LEO V2 and figure out if and how another attack could take place. The result is an extensive list of the architecture for WLEO which outline the level of risk and how likely an attack on that particular aspect would be.
To keep this brief, the conclusion is that this version of WLEO addresses the outlined aspects that could potentially be exposed. Throughout this post, we've discussed the key features of the WLEO2 design which specifically address these aspects:
- Limited Token Supply
- Limited Hot Wallet Capabilities
- Cold Wallet Storage
- Separation of Frontend and Oracle Code
- Additional Server Security
- Extensive Auditing by Third Parties
The end result in all of this is that we now have a highly secure, robust and exchange-friendly version of WLEO that we can utilize now and in the months & years to come.
Big shoutout to @fbslo who helped immensely in this process. He helped us dissect the WLEO 1 issues, find the security flaws and also rebuild WLEO for a highly secure relaunch. If you aren't already (and I don't know why you're not), please go vote for his Hive witness node. He's a buidler through and through.
WLEO Geyser Model for LP Incentives
"Pool early and pool often" - @nealmcspadden
I wish I could say that I came up with this genius tagline, but I can't. The credit goes to Neal for coming up with the simplest way to explain how the WLEO geyser incentives pool for liquidity providers will work.
You can read our full post with details on this model (including a link to the WLEO Geyser Simulator we built) or you can enjoy the cliff notes version:
- Before today, there were only 2 pools of rewards: PoB and PoM (Authors / Curators and Mining token holders). The Geyser ecosystem has established a 3rd pool: PoL (Proof of Liquidity for WLEO liquidity providers)
- Every 24 hours, a snapshot of all the WLEO liquidity pools (stating with just WLEO-ETH and eventually expanding to other WLEO-____ pools) is taken.
- The proportional share of ownership in the pool is weighted against the other LPs along with a calculation of "Time Factor" which scales your rewards based on how long you've been a liquidity provider relative to the other LPs in the pool - the longer you've been an LP, the higher your share of the daily liquidity pool
The fascinating dynamics of having time-enhanced liquidity incentives are going to take effect immediately on the results in the WLEO-ETH pool (along with our other pools in the future). When a pool is opened (i.e. the WLEO-ETH pool tomorrow), there will be a mad rush to deposit liquidity and be as big of an LP as possible on day 1.
From there, the incentives under they Geyser model align with being in the pool for as long as possible relative to other LPs. This means that the greatest incentive lies in the liquidity providers who pool their WLEO-ETH from the beginning and hold it in the pool as long as possible. Taking liquidity out early will cause a major opportunity cost in long-term yield.
This is the goal of any liquidity ecosystem: incentivize the best group of users. In this case, it's the users who provide liquidity and leave it in the pool for the long-run as opposed to users who frequently jump in and out of the pool.
These long-term LPs also happen to be the users who tend to believe most in the project, since they're providing to the liquidity pool with the expectation that they won't withdraw that liquidity for months or even years in order to maximize their Annual Percentage Yield (APY).
When Will the First Geyser LP Incentive Snapshot Be Taken?
The Geyser distribution system starts ~24 hours after launch. The snapshots are taken every 24 hours at 10 AM CST.
The WLEO launch date is set for November 12th. On the following day (Friday November 13th 😉), the first Geyser snapshot will be taken.
Every single day after that at 10 AM CST, another snapshot will be taken. Again, more details on the snapshots and how the rewards are paid out (monthly) are in the Introducing the WLEO Geyser Model, LEO Token Economy Updates and New Simulation Tool post.
WLEO Official Team Liquidity
Similar to the first WLEO launch, @leofinance will provide an initial WLEO-ETH liquidity of $50k USD to kickstart the pool on launch day.
This liquidity will be exempt from Geyser snapshots and distributions and will also remain in the pool for a minimum of 12 months.
The launch has been delayed 2 or 3 times due to some issues with Infura and the ETH chain as a whole.
As of this post being published (on November 11th), everything is ready for launch.
WLEOs Firm Re-Launch Date is November 12th, 2020
This is somewhat poetic because WLEO V1 was attacked on October 11th, 2020. Can't keep a tough LEO down for long
The WLEO relaunch will also be accompanied by a UI update. This will introduce many of the features that we built for https://leofinance.io but had to shelf for a month because if the rebuilding process. Now that WLEO is back, we're also bringing back many of the amazing features that will bring a whole new level of functionality to LeoFinance.io and LeoInfra:
We've had a few days delay in delivering this post and the WLEO launch but we're still on track for our major releases with LeoInfra and LeoFinance.io which will introduce some mind-blowing features like Twitter onboarding, advanced publishing and more.
LeoFinance is a blockchain-based social media community for Crypto & Finance content creators. Our tokenized app allows users and creators to engage and share content on the blockchain while earning cryptocurrency rewards.
|Track Hive Data||New Interface!||About Us|
|Hivestats||LeoFinance Beta||Learn More|
|Trade Hive Tokens||Hive Witness|
Posted Using LeoFinance Beta