While the past week has been stressful for the entire VeChain team, it’s also one of the most rewarding experiences for the team. Through dealing with the incident, our team and community became stronger.
Security is always one of VeChain’s top priorities. We would like to re-emphasize that the security of the VeChainThor blockchain and wallet applications are intact and unaffected. We have worked hard in recent years to assure infrastructural security, and from the incident, we just learned fair importance should be attached to other elements such as process compliance. Moving forward, we are still committed to providing secured blockchain services to all our stakeholders, including community members, token holders, enterprise partners, and application owners.
Since the incident happened, together with the community, developers and our partners, we have taken the necessary and immediate actions to control the situation and reduce the impact on the community. The good news is that we believe the damage has been successfully contained as of now.
How did we respond to the incident?
On December 13, as soon as we noticed the abnormal transaction of the Foundation buyback wallet, we informed the Steering Committee to launch the incident response protocol and called an urgent meeting with leaders in various functions. We checked immediately the security of the rest of the Foundation wallets, notified major exchanges and take all needed actions to reduce the possible impacts on the market to protect all stakeholders.
Shortly after the incident, VeChainStats which is well known across the VeChain Community as a dedicated developer of data analysis tools for the ecosystem offered to create a blacklist to track down the stolen funds. It allowed exchanges to take preemptive actions and prevent the deposits from the blacklisted addresses from directly hitting the market. In addition, the Hacken team who is working with over 2,000 whitehat hackers was helping to trace the funds and notified exchanges in the Crypto Defenders Alliance.
Thanks to the quick responses from OceanEx, Binance, Huobi, Kucoin, Bitrue, Bitfinex, Bittrex, and other exchanges, we were able to prevent the thief from creating an even bigger sudden deliberate negative impact on the market. Nevertheless, the thief escalated the action in the next few days, such as creating thousands of new wallets with small amount of tokens to wash the stolen funds and launching DDoS attacks to VeChainStats’ blacklist and etc., which made us think we need to take more decisive measures to contain the damage and more importantly to win more time for investigation and collecting community feedback.
Therefore, an urgent internal Steering Committee meeting was called by Steering Committee General Secretary Sunny Lu to discuss the possibilities of preventative actions. After careful consideration, the Steering Committee voted and passed a motion to contact all the Authority Masternodes and release an emergency patch i.e. VeChainThor v1.1.5 on December 18th, so that the Authority Masternode can vote on whether or not they agree to implement a temporary block on the addresses controlled by the thief.
This was well-received by all of the Authority Masternodes holders, and thanks to their quick response, within 72 hours after the patch was released, the situation was quickly under control as we see more and more the Authority Masternodes opted to implement the new updates. All Authority Masternodes have confirmed that the block list has been implemented, therefore it is almost impossible for the thief to move the stolen funds for now.
Currently, 469 addresses owned by the thief have been blocked by the Authority Masternodes, which froze about 727 million VETs. For the funds that have already been moved to exchanges, we will continue working with exchanges to retrieve the stolen funds.
What is going to happen next?
VeChain always aims for iterating and profound balance of decentralization for transparency and trust, and execution efficiency.
It’s imperative that the community gets to make the final decision on the destiny of the blocked address and the stolen funds within them. In accordance with the recently approved VeChain Governance Charter, the Steering Committee is convinced that an All-stakeholders Voting is needed in this kind of extreme case. Therefore we are going to announce an All-stakeholders voting very soon on whether or not to implement the blocklist introduced in VeChainThor v1.1.5 permanently, to make these 469 tainted addresses into burn-addresses, and de facto making the 727 million VET tokens burnt tokens, forever subtracted from the total and circulating supply. Details will be announced soon.
On the investigation side, we are working with professional cybersecurity firms to conduct cyber-forensic checks on the devices that were potentially compromised to cause this theft. We are expecting to discover evidence and trails that may have been left by the thief to confirm the exact cause of the incident. We are also collaborating with exchanges to cross-examine evidence, action will be taken by law enforcement if solid evidence surfaces.
Our Internal Management Decisions
While the related employee has been held accountable for the mistake, the head of VeChain Foundation Operation Committee overseeing the finance unit will take responsibility for this incident which happened under his charge. Jay Zhang will step down from his role as CFO and be replaced on an interim basis by the current financial controller. Moreover, Jay Zhang also foregoes his candidacy for the upcoming Steering Committee election in 2020 and forego 50% of his compensation for the entire year of 2020.
In addition, Sunny Lu being the CEO is ultimately responsible in this incident, although he was not the person directly implicated, he will also bear his share of the consequences. Same as Jay Zhang, Sunny Lu will forego 50% of his compensation for the entire year of 2020.
The Foundation team has decided on internal remediation and improvement plans to further strengthen the digital asset security management from both technical and procedural perspectives. And this private key theft has put our incident response procedure into a real-life test, and we will also take the opportunity to further improve the process.
In summary, this incident will not affect VeChain’s long term development. We would like to apologize again for the unintended misses, and express our sincere gratitude for the help and understanding from all stakeholders.
唯链社区项目VeChainStats主动提出部署一个黑名单以便实时追踪被盗数字资产，助力交易所采取先发制人的措施，防止黑名单地址中的数字资产直接流入市场。同时，Hacken团队与2000余名白帽黑客共同合作，追踪被盗数字资产，并且通知了所有在Crypto Defenders Alliance联盟内的成员交易所。
特别感谢OceanEx 、币安、火币、Kucoin、 Bitrue、Bitifinex、Bittrex等交易所在配合本次事件中作出的迅速响应，从而避免被盗的数字资产对市场产生不必要的冲击。尽管如此，窃贼在此后的几天内再度进行一系列操作，例如疯狂创建数千个小额新钱包试图洗白赃款，以及对VeChainStats的黑名单进行DDoS攻击。因此，我们决定必须采取更强有力的措施来为调查和收集社区反馈争取更多时间。
因此，唯链基金会秘书长陆扬召集了战略决策委员会召开紧急会议以商讨进一步的解决方案。经慎重考虑，唯链基金会战略决策委员会针对是否通知所有超级权益节点并发布唯链雷神区块链 v1.1.5 的提案进行投票。12月18日，委员会表决通过该提案后，开发团队发布了唯链雷神区块链 v1.1.5版本，所有超级权益节点可以选择完成版本升级以对黑名单中的窃贼地址进行暂时性的拦截。