VeChain Foundation Public Disclosure
While the past week has been stressful for the entire VeChain team, it’s also one of the most rewarding experiences for the team. Through dealing with the incident, our team and community became stronger.
Security is always one of VeChain’s top priorities. We would like to re-emphasize that the security of the VeChainThor blockchain and wallet applications are intact and unaffected. We have worked hard in recent years to assure infrastructural security, and from the incident, we just learned fair importance should be attached to other elements such as process compliance. Moving forward, we are still committed to providing secured blockchain services to all our stakeholders, including community members, token holders, enterprise partners, and application owners.
Since the incident happened, together with the community, developers and our partners, we have taken the necessary and immediate actions to control the situation and reduce the impact on the community. The good news is that we believe the damage has been successfully contained as of now.
How did we respond to the incident?
On December 13, as soon as we noticed the abnormal transaction of the Foundation buyback wallet, we informed the Steering Committee to launch the incident response protocol and called an urgent meeting with leaders in various functions. We checked immediately the security of the rest of the Foundation wallets, notified major exchanges and take all needed actions to reduce the possible impacts on the market to protect all stakeholders.
Shortly after the incident, VeChainStats which is well known across the VeChain Community as a dedicated developer of data analysis tools for the ecosystem offered to create a blacklist to track down the stolen funds. It allowed exchanges to take preemptive actions and prevent the deposits from the blacklisted addresses from directly hitting the market. In addition, the Hacken team who is working with over 2,000 whitehat hackers was helping to trace the funds and notified exchanges in the Crypto Defenders Alliance.
Thanks to the quick responses from OceanEx, Binance, Huobi, Kucoin, Bitrue, Bitfinex, Bittrex, and other exchanges, we were able to prevent the thief from creating an even bigger sudden deliberate negative impact on the market. Nevertheless, the thief escalated the action in the next few days, such as creating thousands of new wallets with small amount of tokens to wash the stolen funds and launching DDoS attacks to VeChainStats’ blacklist and etc., which made us think we need to take more decisive measures to contain the damage and more importantly to win more time for investigation and collecting community feedback.
Therefore, an urgent internal Steering Committee meeting was called by Steering Committee General Secretary Sunny Lu to discuss the possibilities of preventative actions. After careful consideration, the Steering Committee voted and passed a motion to contact all the Authority Masternodes and release an emergency patch i.e. VeChainThor v1.1.5 on December 18th, so that the Authority Masternode can vote on whether or not they agree to implement a temporary block on the addresses controlled by the thief.
This was well-received by all of the Authority Masternodes holders, and thanks to their quick response, within 72 hours after the patch was released, the situation was quickly under control as we see more and more the Authority Masternodes opted to implement the new updates. All Authority Masternodes have confirmed that the block list has been implemented, therefore it is almost impossible for the thief to move the stolen funds for now.
Currently, 469 addresses owned by the thief have been blocked by the Authority Masternodes, which froze about 727 million VETs. For the funds that have already been moved to exchanges, we will continue working with exchanges to retrieve the stolen funds.
What is going to happen next?
VeChain always aims for iterating and profound balance of decentralization for transparency and trust, and execution efficiency.
It’s imperative that the community gets to make the final decision on the destiny of the blocked address and the stolen funds within them. In accordance with the recently approved VeChain Governance Charter, the Steering Committee is convinced that an All-stakeholders Voting is needed in this kind of extreme case. Therefore we are going to announce an All-stakeholders voting very soon on whether or not to implement the blocklist introduced in VeChainThor v1.1.5 permanently, to make these 469 tainted addresses into burn-addresses, and de facto making the 727 million VET tokens burnt tokens, forever subtracted from the total and circulating supply. Details will be announced soon.
On the investigation side, we are working with professional cybersecurity firms to conduct cyber-forensic checks on the devices that were potentially compromised to cause this theft. We are expecting to discover evidence and trails that may have been left by the thief to confirm the exact cause of the incident. We are also collaborating with exchanges to cross-examine evidence, action will be taken by law enforcement if solid evidence surfaces.
Our Internal Management Decisions
While the related employee has been held accountable for the mistake, the head of VeChain Foundation Operation Committee overseeing the finance unit will take responsibility for this incident which happened under his charge. Jay Zhang will step down from his role as CFO and be replaced on an interim basis by the current financial controller. Moreover, Jay Zhang also foregoes his candidacy for the upcoming Steering Committee election in 2020 and forego 50% of his compensation for the entire year of 2020.
In addition, Sunny Lu being the CEO is ultimately responsible in this incident, although he was not the person directly implicated, he will also bear his share of the consequences. Same as Jay Zhang, Sunny Lu will forego 50% of his compensation for the entire year of 2020.
The Foundation team has decided on internal remediation and improvement plans to further strengthen the digital asset security management from both technical and procedural perspectives. And this private key theft has put our incident response procedure into a real-life test, and we will also take the opportunity to further improve the process.
In summary, this incident will not affect VeChain’s long term development. We would like to apologize again for the unintended misses, and express our sincere gratitude for the help and understanding from all stakeholders.
过去的一周,对于唯链团队而言充满挑战。此番经历将使我们变得更加强大。在唯链基金会团队、社区志愿者及合作伙伴们的共同努力下,目前回购地址被盗事件已得到有效控制。
唯链基金会始终将安全视作重中之重。我们向广大社区成员及所有利益相关者再次郑重声明,唯链区块链网络的安全性从未受到任何破坏,包括唯链雷神钱包在内的相关应用及设备功能从未出现过任何漏洞。企业及个人用户可正常使用唯链区块链上所有服务。我们会继续致力于搭建安全完善、功能强大的区块链底层技术平台,同步深入强化对流程管理方面的把控,一如既往为用户提供最有价值的区块链服务。
自失窃发生以来,社区成员、开发者以及合作伙伴与我们并肩努力,采取一系列必要、迅速、强有力的措施控制事态。秉持“公开透明民主”的原则,基金会特此向所有利益相关者公示事件进展及相关处理结果。
事件进展及处理过程
2019年12月13日晚,当发现唯链基金会回购钱包发生异常交易时,唯链基金会第一时间通知战略决策委员会启动紧急预案,并召开各职能部门负责人紧急会议。我们立即对基金会其他钱包进行检查,排除异常,确保安全,并通知各主要交易所,采取一切必要措施减少此次事件有可能对市场产生的影响,以保护所有利益相关者的权益。
唯链社区项目VeChainStats主动提出部署一个黑名单以便实时追踪被盗数字资产,助力交易所采取先发制人的措施,防止黑名单地址中的数字资产直接流入市场。同时,Hacken团队与2000余名白帽黑客共同合作,追踪被盗数字资产,并且通知了所有在Crypto Defenders Alliance联盟内的成员交易所。
特别感谢OceanEx 、币安、火币、Kucoin、 Bitrue、Bitifinex、Bittrex等交易所在配合本次事件中作出的迅速响应,从而避免被盗的数字资产对市场产生不必要的冲击。尽管如此,窃贼在此后的几天内再度进行一系列操作,例如疯狂创建数千个小额新钱包试图洗白赃款,以及对VeChainStats的黑名单进行DDoS攻击。因此,我们决定必须采取更强有力的措施来为调查和收集社区反馈争取更多时间。
因此,唯链基金会秘书长陆扬召集了战略决策委员会召开紧急会议以商讨进一步的解决方案。经慎重考虑,唯链基金会战略决策委员会针对是否通知所有超级权益节点并发布唯链雷神区块链 v1.1.5 的提案进行投票。12月18日,委员会表决通过该提案后,开发团队发布了唯链雷神区块链 v1.1.5版本,所有超级权益节点可以选择完成版本升级以对黑名单中的窃贼地址进行暂时性的拦截。
我们由衷感谢所有超级权益节点持有者在收到通知后的及时响应。在v1.1.5发布后的72小时内,所有超级权益节点已经同意进行版本更新。在此情况下,被盗数字资产将无法进行转移。
目前,超级权益节点已对黑名单中469个与窃贼相关的地址进行了拦截,从而冻结共计约7.27亿VET。同时,我们也正在与交易所继续合作,尽可能将部分已经流入交易所的失窃数字资产追回。
进一步举措
唯链基金会始终致力于在民主治理和高效执行中维持有机且持久的平衡。
秉持“公开透明民主”的原则,唯链基金会将根据最新生效的治理模型,针对此次特殊事件发起所有相关权益者的投票。此次投票有关是否同意将黑名单永久写入唯链雷神区块链中。投票通过后,469个在黑名单中的地址将被永久锁定(相当于地址上的7.27亿个VET将被销毁,并从总供应量和流通量中永远减去)。具体投票规则不日将正式公布。
关于对窃贼的调查工作,我们目前正在与专业的网络安全服务公司合作,对本次事件可能涉及的所有设备进行技术鉴定,寻找窃贼留下的痕迹并锁定漏洞环节。同时,我们正在进行严密交叉取证,一旦获得确凿证据将会上报警方。
内部管理及调整
该事件由财务部门个别员工操作不当引发,直接相关人员已受到相应处理。唯链基金会运营委员会负责人张杰先生作为财务部门的负责人对此负有管理责任。张杰将卸任首席财务官的职位,并由财务总监暂代。同时,张杰先生已放弃第二届唯链基金会战略决策委员会的被选举资格以及2020年50%的全年薪酬。
作为最终负责人的唯链首席执行官陆扬也将承担相应责任,并同样自愿放弃2020年50%的全年薪酬。
同时,唯链基金会已经展开内部管理优化,从技术升级及流程把控两方面强化数字资产安全管理。本次被盗事件是对基金会紧急预案有效性的实践检验,我们将以此为鉴,进一步提升风险控制及处理能力。
综上,我们再次对此次事件的发生郑重致歉。但本次事件并不会影响唯链基金会的长期稳定发展。唯链基金会将持续提供安全、高品质的区块链服务,并竭力保障所有利益相关者的权益。同时,我们再次诚挚感谢社区成员以及所有利益相关者在本次事件中给予的理解和支持。
