Lepricon Token Exploit — Update
We now have a definitive idea of what happened, and we can confirm that the hacker exploited the smart contract for the token. However, the Gnosis safe was not compromised, nor were any wallets used for signing authority.
We engaged several external professionals to look at the transaction and to examine the byte code to identify the precise chain of events. The answer came first from Peter Robinson, Technical Director at ConsenSys, based in Brisbane, Australia.
He decoded the call data and posted the output to a GitHub, which you can read here.
There was a batch transfer function in our contract, a helpful feature, but it turns out that it had a weakness that enabled a malicious actor to access contracts that contained LPR.
We are all stunned by the outcome. Multiple entities checked and rechecked this code before listing, and they did not pick up this flaw. Only by decompiling the byte code were we able to discover the truth of the matter.
We are very grateful to Peter for his help and expertise.
Moving Forward
We can plan for a replacement token now that we know what happened. Ironically, the bear market protected us from more significant losses, and we can recover from this.
We are now considering our options, and there are many. Some of the things we are thinking:
- Whether we keep the Lepricon brand or, given the token’s future as the rewards mechanism for a mobile gaming platform, rebrand.
- Whether we stay with BNB Chain or move to Polygon or even a chain like Hedera
While this has been a horrific experience for the team, and equally so for token holders — which includes most of the team — we would be foolish not to take stock and see what opportunity we can create from the situation.
As we make decisions, we will keep you informed.