Posts

Weekly Nutbox Report #15

avatar of @nutboxna
25
@nutboxna
·
0 views
·
2 min read

Hello folks. It's Monday again, time to provide new report of the Nutboxes' projects and what happened in the past week.

A couple days ago, the Nutbox Team published the second audit report.

https://medium.com/@nutbox.dao/investigation-report-about-the-attack-on-walnut-network-2-40c287a3ad54

Since the Nutbox system is a cross-chain platform built between multiple blockchains, the system needs to handle different contract management methods simultaneously and in a timely manner.

For example, Polkadot and Kusama requires users to users stake their DOT to the official Polkadot Crowdloan pallet. Absolutely no one, including the users themselves, can withdraw the staking assets while they are locked before the end of the current Parachain Slot Auction. However, content creating blockchains such as HIVE and STEEM only requires delegations; no locking mechanism that restrict users lock their delegations to a certain contract and/or account until a specific date. Users can remove their assets as their will.

As the current design, a traditional backend is utilized to manage signing contracts. The private keys must be stored on an online server to support this process.

The management team shut down the service right after the attack. But the damage was done, and the attacker uses private transact contract from Tornado.Cash to hide his/her future transactions.

Not trying to insult anyone's intelligence here; this was a legitimate question we were asked.

Why didn't the team report to the police, the someone got into the Nutboxes' facility and stole the private key?

The private key was stolen via a network breach, there wasn't anyone sneaked into the build where the server was located, and copied down the private key physically.


Knowing the cause is half the battle, what the team can do to provide a safer platform for the users is the most important goal in the future. The trust the Nutbox Team lost during this incident costs more than the stolen fund.

The team has provided several steps to tighten the security of the existing product in the report. Deprecate unsafe mechanism, which were found during the investigation; isolate the staking assets of each pool, even it would cost more external computation power when calculating the cToken reward.

Most importantly, the investigation is not over, will never be over. Security is a daily job for every staff working on this ecosystem. Only by doing this, we can regain our users’ trust and provide the best service we can provide and prolong the project.

At the current state, users can still use service at https://peanut.nutbox.io, and https://polkadot.nutbox.io. The original PNUT-TRX LP still operates and the new PNUT-BNB LP on BSC is delayed along with all other BSC related assets and projects.

The number one priority right now is to secure the system, give users a safe environment.

Just remember, what doesn’t kill us, makes us stronger.

Development update

Walnut front end

  1. Reconstruct the functions of Walnut products to prepare for the new launch of Walnut;
  2. Distribute the first batch of nut compensation (2 million nut in total) to the victims of walnut contract attack.