On September 13, 2024, YakDAO experienced an unfortunate and serious security breach. The $YAKS/wstETH liquidity pool, which was a critical part of our operations on Base, was withdrawn in an exploit that resulted in the loss of 14.873 wstETH, valued at over $42,000. This hack has had a significant impact on our liquidity and the $YAKS token ecosystem.
How Did This Happen?
As $YAKS was utilitizing Axelar to facilitate the token bridge, the liquidity pool was placed on Aerodrome. The breach appears to have been the result of a “man in the middle” attack on the shared private key transfer between two key team members. While the key was encrypted, a third-party encryption service was used instead of direct PGP encryption. This vulnerability allowed a malicious actor to intercept the key and exploit our liquidity manager contract.
The transactions that triggered the withdrawal of the liquidity were traced on Basescan, revealing the following critical timeline:
- 2 hours and 50 minutes before discovery: The liquidity pool was drained.
- $42,332.67 worth of wstETH was transferred to the attacker’s wallet.
Forensic wallet analysis has been underway, but unfortunately, recovering the stolen funds in situations like this is extremely difficult, if not impossible.
The Root Cause
Upon investigation, it was determined that the sharing of private keys between team members over an encrypted middleware service was the critical point of failure. The encryption of the message was not sufficient to protect against the sophisticated attack that intercepted and exploited the private key. We believe the attacker accessed the message or the encrypted link, leading directly to the theft of our liquidity.
The security failure was not due to a vulnerability on the individual devices managing the liquidity. This has been confirmed through local device reviews, which show no unauthorized transactions initiated from the responsible parties.
Next Steps
We recognize the severity of this event and are actively working to mitigate its impact on the YakDAO ecosystem. Here are the steps being taken:
- Focused on opening property #1 in October. The core team will need to ensure the property buildout in completed to start taking in booking revenues.
- Full Forensic Investigation: Our team is continuing to track the flow of the stolen funds. While recovery seems unlikely, we are exploring all options.
- Improved Security Protocols: Going forward, all key management and critical transaction processes will be revamped. We will be implementing more secure, decentralized, and direct encryption methods such as PGP for any key sharing and critical access points.
- Rebuilding Liquidity: While the current liquidity is lost, we are working on strategies to replenish the liquidity pool. This is our top priority to ensure the integrity of $YAKS and the protection of the community.
- Community Update: Transparency is essential, and we will be providing regular updates to our community as we navigate through this challenge.
FAQ
Claiming Your $YAKS Tokens via IronVest
Please follow the instructions below to complete the process using IronVest’s staking software.
1. How do I claim my $YAKS tokens?
To claim your tokens, you will need to use IronVest’s staking software. Here’s how you can do it:
- Visit the token claim site: claim.yak.camp
- Connect the wallet that held $YAKS tokens prior to the security breach.
- Follow the instructions provided on the site to claim your tokens.
2. How long do I have to claim my tokens?
We will alert the community as to when final snapshops will be placed. Until then, we have issued snapshots, and will assume those locked in specific NFT’s would have reached full maturity.
4. What if I encounter issues while claiming my tokens?
If you experience any issues while trying to claim your tokens, please reach out to our support team through our support form. We are here to assist you and ensure a smooth claiming process.
5. Can I claim tokens from multiple wallets?
Yes, you can claim tokens from all wallets that held $YAKS tokens before the breach, provided each wallet is eligible based on the snapshot data. Be sure to repeat the claim process for every eligible wallet.
