Your journey in blockchain can feel isolating, here is an example and how to learn from it.
Yield, Staking, and Liquidity (YSL.IO) just had one of its whale wallets compromised, that triggered a series of rapid responses from the YSL team and the Whale to try and recover as many tokens as possible. It was a race to save nearly AUD 400,000 in capital.
Events like these, speed, team work and access are what makes the difference. Our founder has responded to many incidents and handled many events inside the USAF and DOD over 20 years. These are what is needed for immediate response. But the most important aspect is sharing knowledge from everyone involved so that a complete picture of the event can be presented for everyone to understand. The fear of the unknown is our human weakness, just like Superman’s weakness to kryptonite.
Human’s don’t do well with the unknown, that is why darkness, space and deep water have through the ages been the scariest things we humans have faced. Traditions through stories turned into legends and myths that have driven our cultures for generations, designed to protect us. As sight is our primary sense we rely the most heavily on in our lives, not being able to see something, ratchets up our uneasiness and our fear, uncertainty and doubt (FUD) around something.
We state the fact of knowing is far better than the unknown in our lives, the unknown drives us to discover and have led to many accomplishments throughout time. But it has also led many to in-action, hesitation and capitulation and these are exactly what you don’t need during an incident.
No one is safe in a Bear Market,
Binance bridge was exploited, resulting in them shutting down the entire chain to preserve as much of the assets as possible from being sent off chain. This week,
Team.Finance who provides a service to lock your liquidity for your project, was hacked. They have over $3B in TVL locked, causing many smaller projects to wonder how their pools for their tokens were going to work.
Timeline of Events
On 28 Oct 22, one of
YSL.IO’s own whale community supporters, had several wallets compromised totaling over AUD 400K in value.
Detailed timeline after talking with the team of the events.
- Whale reached out to founder and notified that 3 wallet addresses were compromised.
- Coordinating with the team, the Whale moved bYSL out before blacklisting took place.
- The team took immediate actions by blacklisting the addresses from interacting with the bYSL token contract. Note: this was bYSL’s largest holder.
- Blacklisted address: https://bscscan.com/tx/0xaeb9d250c2bdfb13a02325cf32c5861792bef2b459d61928694f7f4d9ce1a155
- Team’s dilemma left them with a choice, let the attacker offload 5000+ xYSL or 9.1% of overall circulating supply after adjusting for burned tokens from initial 80,000 total supply or take-action.
- YSL Team Decision: Try selling before them with a decent amount of xYSL, so they decided to recoup and reuse the BUSD back into the V2 project. Note: Something that was not possible in V1 during the sYSL minting error.
- Based on history with what happened in V1 error, when $200K in BUSD was drained from the sYSL liquidity pools and never really got used towards V2.
- Also, this is the 2nd xYSL holder to be hacked in the last few months. That hacker was able to sell, dropping the price from $29 -> $26 by causing others to panic. That compromise was only a couple thousand worth.
- Team decided that the best approach was to offload, given Whale had already lost AUD 400k worth of tokens on Ethereum, and had over $130k worth of xYSL that could have been immediately sold at the time.
- Whale was having trouble transferring xYSL out of the wallet it was held in, still has over 870/1% of total supply locked xYSL in compromised wallet.
- This was another reason the team told the community not to sell because the team was not 100% sure whether they needed to do a snapshot, and they didn’t want the community to panic sell before the snapshot.
- Whale did not confirm recovery of unlocked until after the team moved to take-action and recover as much liquidity as possible through selling a part of their unlocked xYSL that they held.
During these events, the team executed quickly, blacklisting wallet addresses, restricting these addresses from interacting with the bYSL token, and pre-emptively removed liquidity from the xYLS-BUSD liquidity pool (LP) before the hacker could sell anything.
Commentary: When faced with losing a large amount of your life’s capital, you have one underlining goal: preservation and restoration of your money.
Cybersecurity & Technical Lessons Learned
Disbelief is the first thought that crosses your mind when hearing that this could happen to Whale. Am I safe as an average investor?
Let me first say, that even the best have lapses in judgement and those lapses happen when stress is high, time pressures and deadlines are looming and your physical and mental state are degraded. This would not surprise many of you reading this.
This is exactly what happened to our friendly whale, who had been working non-stop for several days without sleep and broke their own rules for downloading a tool on the internet, with low reputation due to pressure to finish a tool they were finishing.
Our adversaries are not only targeting us specifically, but are dropping traps all over the internet. In this case, it was a tool needed to finish a task and its payload was a well known malicious Trojan payload called “MSIL/AgentTesla” is a keylogger and designed to capture credentials. What we surmise is that this malware is designed to “Steal the Locally Stored Passphrase or Private Key used by Crypto Wallet Apps”, as highlighted in the Top-5 ways malware is being used to steal crypto article.
Once this malware got a foothold, it attacked Windows Defender by adding exclusions and making it freeze up during scans. The virus scanner popped off, the Whale started a scan, however it was ineffective due to the exceptions having already been added.
This then allowed them to discover the multiple crypto wallets that had different seed phrases on multiple different browsers that were unlocked, one was locked and was not compromised. It was through the unlocked wallets that they gained access and started to transfer tokens out of the wallet. Luckily, our Whale had an alert system that triggered when they started removing tokens. That is when the race started and the war began highlighted in our timeline above.
System Recovery: Malware Bytes was leveraged to take it out and then removed the exclusions, allowing Windows Defender to work normally.
War for the Wallet: Our Whale spent the rest of the night writing a gas stealer bot to instantly take away the bits of gas the hackers sent in to withdraw more tokens with. The Whale was also able to get in touch with some skilled people that were able to do some fancy tricks (it’s an arms race, and leveraging your connections can be helpful, start building your network today).
YSL Token Recovery: xYSL V1 locked tokens, are unable to leverage the defenses built into V2 as highlighted here https://docs.ysl.io/overview-1/audits#2-multiple-security-safeguards. bYSL however was able to leverage
YSL.IO security measures as described above.
- Backups/Recovery Plan
- Leverage Resources (Technical, People, Teams & Projects)
Buzzword cybersecurity bingo, but the keys are to setup either a hardware wallet or use multi wallets via a service like Gnosis https://gnosis-safe.io/. Most of us think this is for teams, but you can leverage a combination of hardware wallets, mobile like TrustWallet, MetaMask, etc…then require at least 2 of them to be able to approve a transaction. To take this further, you can have a dedicated laptop, with no access to email, office applications, chat, downloading files, etc…basically locked down to only whitelisted approved websites and applications. Use 2FA, Yubikey, and dont use SMS, as scammers are targeting cell numbers with SIM swaps.
The next big thing is to have a list of folks you can lean-on and ask questions, get help or engage in about options for recovery. There are now several projects releasing applications that might be able to prevent actions like these but also recover if it happens to you.
- System Recovery Team: https://www.salvagedata.com/
- Crypto Recovery Team: https://dps-cybersecurity.com/
- Crypto Recovery Team: https://www.assetreality.com/report-lost-crypto
- Crypto Firewall Option: https://harpie.io/
- Report: The crime to your local police
- Legal Option: Depending on how it happened https://liticapital.com/scambuster/
YSL Defense Actions
In crypto, this means doing what ever you have to do to restore your asset’s integrity. The individual in question immediately reached out to the founder of
YSL.IO, to get his wallet addresses blacklisted and see about options for other defenses to keep control of their funds. The team responded rapidly with the features in V2 to defend the protocol.
Opportunity in YSL Ecosystem
Our community whale leveraged some wizardry of this space and was able to recover not only his unlocked xYSL, but his locked xYSL as we understand it. The bYSL was also saved. We do hope the team honors this whales wallet with the Airdrop of their wallet’s percentage of the $500,000 xBUSD taking place in phase 3.
The price you see now is a result of the team capturing liquidity from the locked LP of xYSL-BUSD v1 solution. The team has stated that they will use these funds in support of xYSL launch on V2, where the price will be locked in at $120. This introduces an amazing arbitrage opportunity for those with capital on the sidelines. From a low price of around $6.65, that would make any investment from those lows, an instant 18X from this price. Even below $12, that’s a clean 10X. Some have already purchased, unlocked xYSL, to those we say “Great Move”.
The YSL community has a very tight advisory committee that communicates with the founder and team nearly daily on project objectives and insights from around the Cryptoverse. This event was a hotly discussed topic and is the reason we wanted to capture the entire community’s attention and those who are observing the YSL ecosystem from a distance.
We believe the best communities are open and transparent as much as they can be. Sometimes the founders and teammates can not share everything or comment on ongoing events due to relationships they have with others that they do lack permission to share. This is why we have an advisory council at YSL, to get out in front of issues or add an extra voice for the overall community. This is the power of community: we can all lend a hand and offer insight into what is happening to avoid biases and blind spots.
My intent is to finish and change this article as more information becomes available to me from the
YSL.IO team. I am still a huge believer in
YSL.IO and what they have developed and their intent to make sure our funds will be secure. Hence, why they are waiting on
PeckShield to complete its 3rd pass on their 1st of its kind solution. Our journey is wrought with challenges, unknowns, and saboteurs but, I respect and trust that this team will carry out its objectives and even astound us in what is waiting for us beyond what has been disclosed publically.
Anticipating a great future:
Originally published on 29 Oct 22 through our Medium.