This post is an update to Stephen’s tweet on November 18th about reports of lost funds. In this post, we will share what we know about the potential exploit, all the information we know about the alleged attacker, what we’ve done so far to contain the potential threat, and we want to give the alleged attacker a chance to return the funds.

On November 18th, we received reports of lost funds, mysteriously missing from 9 wallets at the time of this writing.

The Facts (as of 11/20/2020)

A total of 25,356,279.23 ONE tokens were removed from 9 wallets.

Affected wallet addresses

  • one14y4y0avdhlwfmvufxkch53q57stwmctg002vlv
  • one1r3fhhzzzatcmqx62nszqxf3shk8qk7qhlmg7tk
  • one10wgvlxx85vwcfk43g0vzss95er80uneh2h80hv
  • one13gv9shkzs847ayy6ggjxssv9g73jlvydlem2ra
  • one1hrgflaj09mh497qczhmzrnee4vxygtsjqx52mq
  • one1rcv3chw86tprvhpw4fjnpy2gnvqy4gp4fmhdd9
  • one16xh2u9r4677egx4x3s0u966ave90l37hh7wq72
  • one12cswq02gkn3r5cfpy3t0ep0vn2t3cvn3a38ltn
  • one14rjfcpf2c2rw48p3evunylpag402c37jpg38um

Alleged attackers addresses

  • one1qclwtjg85cx4kfcxj3t284p908knldvfwk53ps

What Harmony Did to Contain the Problem

As a team, we immediately went into all-hands on deck mode. Here are the steps we took to contain the problem:

  • We contacted major centralized exchanges and informed them about the attacker’s activities and ONE wallet address.
  • We rolled back to a prior version of the ONE Wallet, details published in this post.
  • We met with and contacted current and prior employees to do a thorough internal security investigation.
  • Met with our security partner, PeckShield and others, to conduct root cause analysis

What We Know About the alleged Attacker

We are still investigating the origin of the attack. Exploits and attacks can happen in a lot of different ways and it’s too early to come to any conclusions. Be rest assured that we are taking every possible precaution we can to keep our community safe. What we do know is that only 9 addresses have been exploited which seem to suggest that this could’ve been a targeted attack.

Based on forensic evidence we’ve collected we know that the alleged attacker used a KYC’d account on a major centralized exchange, giving away personally identifiable information in the process of carrying out the attack. We’ve also collected other evidence about the attacker and we know where he or she keeps the stolen funds. We’ll actively monitor these addresses and track every single move and work together with exchanges as well as law enforcement.

Our Offer to the alleged Attacker

We want to give the alleged attacker a chance to return all the funds. If you do so, we won’t pursue further legal steps, dox your identity in public, or take any further action. As an act of goodwill, when all the funds are returned, we will offer you a bounty to uncover how the attack was executed.

We also invite our community to help us uncover the attacker or any traces related to this attack.

We will give you until midnight UTC 11/23/2020 to accept or reject our offer.

Thanks to our Community

We have made several announcements to the community to take precautionary measures. We will also keep you updated with more facts and remedies in the coming days.

We want to give a huge shoutout to our community for rallying together during this confusing and difficult time. Thank you for your support. We also thank our community managers for being so in tune with the community, our engineers for bending backwards to get to the root cause, our security partners for helping us.

Tough times make good teams into great teams. We’ll use this as fuel to make Harmony even stronger and the community even more unified.