Update to Multi-Sig Incident & Next Steps
Reproducing the incident and coordinating next steps
Please read our first Update about the incident from yesterday:
Reproducing the Incident on Testnet
We tried to reproduce the attack on this gnosis safe on rinkeby. We discovered UI flaws that hide important information from the user. Especially
transaction.to the destination of the call. That allows a malicious app to hide information about the nature of the transaction.
We were using the "Transaction Builder" app on a weekly basis via the official gnosis-safe app, safely bookmarked on all our machines. Somehow last week this "Transaction Builder" was malicious in the front-end - we are still unsure how this could happen in the first place.
Gnosis first assumption was phishing of the gnosis ui (malicious web app link)
The gnosis app loads a list of safe apps from:
Whatever the list contains, on any given day, it may be possible that it served malicious apps. (We do not intend to blame)
The url at the moment points to:
Which is served from Amazon S3.
Also a lot of stuff could go wrong there. (ditto, No intent to blame)
Note: These two points are just theory, but possible. Wrong amazon S3 bucket permissions, leaking aws keys. Whatever. Could also be cache poisoning on the path to amazon or even my own machine. I can not rule this out either 😦
Another possible (but more unlikely) are DNS spoofing together w/ issuing a certificate.
In the end, the phrase “always verify what you sign” is still important as ever. Especially in routine tasks.
The UI flaws are annoying but in the end I (@pinkiebell) created this safe transaction and should have spotted the different contract address in the signature request.
Gnosis themselves is on it and we are still in touch via a discord group.
What happens to the Project & HBT Token?
With around 1.4 Mil HBT taken from the team and used to exploit liquidity, the continuation of the current HBT Token is open for discussion.
Losing control over the Habitat Team Multi-Sig means the planned unlocking and distribution of the outstanding Habitat Tokens can not be performed as planned.
The current HBT Token will most likely be replaced by a new one.
It has no advantage to buy tokens now, snapshots will be taken before the attack on 01. December 2021.
Issuing a new token brings an opportunity to re-design the token economics of Habitat and make sure all holders will come back stronger after the incident and connected liquidity drain.
The team is considering a full rebrand of the project to rebuild the reputation of the community, contributors and the project.
What about the HBT token-holders?
Team Habitat is now collecting token-holder data since launching on 10th March 2021.
Token-holder data will be cleaned and sorted to ensure bots and other chain-noise is filtered out from the future distribution.
Liquidity Providers on Uniswap and SushiSwap are also considered and will receive additional reimbursement for their service and sacrifice.
We are confident that we don’t start from scratch as we have and always had a healthy community. We are happy to get feedback from everyone regarding a potential rebrand, naming, token design, token launch etc.
Please let the ideas come, we keep on building on v2 of course and keep you updated with everything.