The Lepricon LPR Exploit — What Happened and What are We Doing About It.
On Friday afternoon at about 430pm Hong Kong time (830am UTC), an unknown entity found a way to authorize a multi-call transaction. This transaction decoupled our liquidity pool for the LPR token and then transferred these tokens, plus the entirety of the LPR treasury, to a third-party wallet. We keep our investor funds from the pre-sale in a different safe, so these were not affected.
Here are the facts that we know at this time after investigating this weekend:
The contracts
- After minting, we transferred the LPR token to a Gnosis safe especially set up to be the new Lepricon LPR treasury — 0x4B64F382aa063C07F1C55Cf53c66ccE3b6fD0bb0
- We set this safe up to require three out of five approval for transactions from five individuals at Lepricon.
- We deployed the Liquidity for PancakeSwap from this wallet on September 21, 2002.
The Exploit
- Starting around 430pm on Friday, 4 November, this wallet — 0x95332e0f193c8e43eea979de9e132a94b32a4bb1 — called this contract — 0xCd62dDE0e5aCbc1D596b1C1699c8b2A5f1327693 using a function in the contract called multi-call((address,bytes),[])
- This call fired the contract to execute a series of transactions:
- Withdraw our treasury tokens
- Approve the PancakeSwap contract and withdraw all of our liquidity
- Transfer that liquidity to the attacking wallet
- The transaction for this multi-call is 0x085beaf22438287312d56620973b9c00a82b99a44a6cf1f00ef6c88ab3656464
When we contacted Gnosis Safe, they said someone had interacted directly with our token smart contract, suggesting someone had found an exploit. Since then, we have engaged several high-profile blockchain engineers who question this as the attacker unlocked the liquidity pool, which we tied to the Gnosis safe.
However, not one of the five wallets that can approve the safe has had a recorded approval event in the past 50 days since the establishment of liquidity.
The smart contract that attacked us was deployed about four months before we even announced the replacement token. The timing leads us to the premise that we were not personally attacked but that the attacker was prepared for a specific exploit. At this point, we are still determining what the exploit was.
In the meantime, all staking and activities that use LPR (such as the Gachapon game) have been suspended.
Summary: Either our smart contract was exploited or our Gnosis safe was compromised. At the time of writing a team is examining the byte code which should give us a definitive answer.
Practical Steps Ahead
There is no hiding the fact that this severely wounds Lepricon. However, we fully intend to restore the token and continue. But this will take time.
We need to understand how this was possible and will continue to engage expertise until we can get a definitive answer. And we also need to decide whether the Lepricon name, which has had mixed fortunes, is the right way forward. We had big plans for the token in the long run. A partner company is building a mobile game platform that will use the token as the reward and retention mechanism, for example.
We will restore the token and reestablish the liquidity pool to the pre-hack value as soon as we are sure this cannot happen again. We aim to do this before the end of the year.