Bitcoin Forum

So like the title says, our project got hacked, we don't even know the attack vector, how the wallets were accessed and the funds drained, we hired a security company and we're waiting on their report and following up with legal action as soon as we have some answers and IP addresses.

For now, I - a non-technical member of the team- have a question, is there a possibility to cancel the tokens he stole without having to migrate to a new contract? He used the tokens to drain our pool on the dex we're using, so it stands to reason that any liquidity we use to repopulate the pool will be drained in a similar manner.

depends on a number of variables. without details of the token/contract one cannot say for sure.

"we don't even know the attack vector"
how well do you know your team?

"How well do you know your team?" That's the big question and probably one of the important aspects of a hacking case. People form teams from different parts of the world with different professions so obviously, you can only know them through their online profiles (thanks to LinkedIn) but you don't actually know the motives of these People and how trusted they are.
My point is, perhaps this is an inside job.

Am not a tech person but I understand that the best way is changing the smart contract address to render the stolen tokens useless or ask the dex for help by stopping trading so they can trace and block that address assuming this only trading in this dex.

Changing the contract address at this stage would probably cost us more than the theft itself did, so we're leaving this nuclear option as a last resort.

Well, I know my team fairly well and can access most of the data I need, what more details would you need to know something like this?
I'm merely asking about the possibility of canceling tokens associated with a certain address.

Im feeling so bad with it. It seems like that hacked may have drained the whole of funds in the wallet, right?
There shall be a vulnerability in the code, this may be right as your wallet can be accessed. This pretty similar thing with what happened with vulcan forged.


No chance for this. That's why as developers and you must also put very important function to your smartcontract to avoid this like frozen or blocking function into your smartcontract. if your smartcontract didn't contain this function and that's impossible to cancel the tokens.

There is none.

How could you expect such things is possible? especially since the attack vectors are unknown and even if it is known, the fund that have been lost has nearly zero chance to get it back. Have you heard if there is any vulnerability of another project that results in the funds can be retrieved back? I don't think so. Why exactly would you think that possible anyway.

Damnit this incident is very common nowadays, and this is bad the negative side of Defi hype is full of exploits coming from different angles. Anyway, I think this is a technical question that's why it's better to ask this problem to someone who has that technical expertise about smart contract functions, But I believe some of the technical people are here on this forum so just wait for other users reply.   

Yes my friend, this is why I asked here, I thought this is the best place to get an informed answer.

If there is a line in the smart contract that allows you to freeze funds, you will be able to do it even if the funds are in wallets. Otherwise, you will need to completely change the smart contract.

Generally, finding a vulnerability in a smart contract is not an easy so either your technical team has low technical knowledge or there is a possibility of an internal hack, in any case you need to study how the hack occurred to ensure that it does not happen again.

The contract was audited by a reputable company, so slim chance it has any vulnerabilities, more likely an end device was hacked, but we're still trying to determine that, also, my team doesn't have low technical knowledge, I'm just conducting my own investigation to present some solutions during our meeting.

suggest you share the contract if you want more informed opinions

I would be breaking my confidentiality agreement if I did so, I can't do that until the whole thing is public.

Code audits are helpful but they are by no means definitive proof of anything. More than a few projects that were audited by established and respected teams have gone on to have exploits discovered upon release.

The most recent publicised one I can think of was critical exploit in MinSwap's smart contract(s) discovered by Wingriders (a competitor swap/dex on the Cardano network) once they went open source.