After 36 hours of hard work and tremendous efforts by various parties, the SIL.FINANCE team is happy to announce that all SIL LP funds amount to a total of $12,151,258.16( at the time of posting) have been recovered and secured in a multi-sig wallet address under the team’s control: 0xca8A05c084B18bdb0c58ca85a39eCEB30Fb5f78e. The funds on this address are the combined result of two rescue efforts.
We have pinpointed the root cause and finished analyzing the impact of the outage. The SIL.FINANCE team will post a detailed post-mortem of the incident soon. For now, please be assured that all funds are safe.
The disruption was caused by a smart contract permission vulnerability which in turn triggered a generalized frontrunning bot to submit a series of profitable transactions. To get an idea of what frontrunning is, please refer to the primer articles Ethereum is a Dark Forest by Dan Robinson and Flashbots: Frontrunning the MEV Crisis. With the swift reaction and help from security firms and world-class white hats, we were able to get in contact with the operator of the frontrunning bot, who assisted in returning all the funds back to the team’s multi-sig wallet.
The SIL.FINANCE team would like to express our sincere gratitude to the following parties that helped the team in the recovery of the funds. The names are ordered by the time when the team made the contact.
The smart contract vulnerability was introduced by a piece of new code that the SIL.FINANCE dev team pushed after the SlowMist audit. The intention of the update was to reduce the gas cost during deposit and withdrawal. The original contract is named MatchPairNormal and the optimized version, which is currently deployed on Ethereum Mainnet, is named MatchPairNormalV2. While the intention of the team was to help users save on gas, and the updated contracts were reviewed by SlowMist, the SIL.FINANCE team made the mistake of not conducting a full security audit after these changes were made.
To show our dedication to protecting user funds, SlowMist will conduct another round of rigorous auditing. For extra safety, CertiK is also doing a further audit. Currently, we expect the audits to complete in around 1–1.5 weeks, after which we will re-open the SIL mining pool. We will only re-open the mining pool sooner if both audits pass ahead of schedule. In the interim, all funds will remain secured in the team’s multi-sig wallet verifiable at 0xca8A05c084B18bdb0c58ca85a39eCEB30Fb5f78e.
If any user has already withdrawn funds and experienced losses, the team will cover them based on our snapshot of on-chain data. We will make a further announcement on the details. Again, please be assured that all your original funds are safe.
Credits to Tina Zhen and Dominator008 for revising this post.