Rugged.

Ether Kai Issue 12

Got rugged. If anyone has any idea on how I can potentially recover my funds or reprimand the hacker, please get in touch with me via Twitter DM or at kai.btc21m@gmail.com

I lost 75,793 USDT to a smart contract exploit on Solfire, a Solana project that rugged.

When I deposited 1,000 USDT on Solfire on 14 Jan 2022 to earn yield, the transaction contained 3 approve instructions that allowed the hacker to extract unlimited amount of USDC, USDT or RAY from my wallet at any point, by delegating authority to the hacker’s wallet. I overlooked this.

By late Jan 2022, the community had began suspecting that Solfire is a rug, and Solfire froze withdrawal and deleted their socials soon after. I was able to withdrew my 1,000 USDT deposit on 20 Jan 2022 and thought that was the end of that.

Jason Choi @mrjasonchoi

.@Solfirefinance directly copying @ribbonfinance and @Katana_HQ docs and you trust them with your money Good luck I guess

n◎job capital @nojob_capital

"can I copy your homework?" "yeah just change it up a bit so it doesn't look obvious you copied" "ok" cc @ribbonfinance @Solfirefinance https://t.co/mWkBodo3bs

4:47 AM ∙ Jan 19, 2022

---

On 21 Feb 2022, I swapped 75,695 UST to 75,793 USDT via Jupiter. Less than a minute after this transaction, my entire USDT balance was drained. Because I gave the hacker the authority to withdraw USDT a month ago..

Here are the transactions:

1 Depositing 1,000 USDC and approving unlimited USDC/USDT/RAY spend

2 Swapping 76k UST to 76k USDT via Jupiter Aggregator / Crema

3 Hacker drains my 76k USDT

4 This is the wallet that contains my stolen funds, along with $157k worth of renBTC and 91k USDC (presumably from other people who got rugged).

My takeaway from this exploit is to always use a burner wallet when interacting with new protocols. I have been doing this for NFT mints but didn’t think to adopt best practice for new defi projects.

For Solana users, Phantom wallet allows users to revoke permission under “Trusted Apps” in settings. Solflare also has a token delegation check in its wallet (see below). And this website allows you to check how much spending you have approved on what tokens, and the ability to revoke them.

Solflare @solflare_wallet

⚡ IMPORTANT ⚡ If you had connected your wallet to a malicious dApp (dApp slipped a delegation instruction inside, allowing anyone to extract funds at any point) - your funds may be at RISK. Urgently visit Solflare Web (solflare.com)  to remove any token delegation.

6:03 PM ∙ Feb 21, 2022

---

I would like to thank Siong from Jupiter Aggregator for helping me identify the exploit and ELI5 all of the stupid things I did.

Costly lesson, but onwards and upwards.

Thank you

@cobie @Pentosh1 @CryptoHayes @zhusu @hasufl @Arthur_0x @pythianism @KyleSamani @mrjasonchoi @woonomic @jdorman81 @Rewkang @LynAldenContact @RaoulGMI @DegenSpartan @100trillionUSD @RyanSAdams @twobitidiot @richwgalvin @finematics @santiagoroel @nic_carter @grapeprotocol @SolanaGrapevine @panicselling @EPBResearch @SBF_FTX @aeyakovenko

About Kai: Bought the 2017 top, fell down the crypto rabbit hole in 2020, full-time Magical Internet Money HODLer & Power User since. Prior: a decade in TradFi (renewables/investment banking/capital markets). 

Disclaimer: This memo is presented for informational and entertainment purposes only and does not constitute financial advice. Individuals have unique circumstances, goals and risk tolerances, so please do your own research before making investment decisions.