UPVU's Exploit Technical Post-Mortem Report

TLDR

• Things aren't quite over yet, but EVERYTHING IS OK. (Your precious STEEM and SP are completely SAFU!)
• All On-chain records are also attached to make it transparent to everyone.
• Today(On Dec 7 2022), there was a malicious attempt to hack into UPVU by hackers supposed to be Hive witnesses or users.
• The hacking attack was launched by precisely targeting the time zone when we are asleep (around 5:00 am KST).
• Looking at the hacker's transactions or the record of bypassing STEEM coins to an anonymous DEX, the hacker is an expert with a very high understanding of the Steem blockchain system.
• The service was temporarily suspended due to the update of @upvu account information, but now EVERYTHING HAS BEEN RESOLVED and the service is operating normally.
• Although team-owned assets and part of the fund for user reward distribution were stolen due to hacking, they can be covered by the personal assets of UPVU team members, and USERS'S ASSETS ARE NOT AFFECTED.
• We ask for your understanding of the delay in the distribution of today's Liquid STEEM curation rewards. THE SAFETY OF OUR USERS' ASSETS IS OUR TOP PRIORITY. Therefore, we quickly covered the hacked user distribution assets with team members' personal funds.
• Today's reward distribution has just been completed, and from tomorrow it will be distributed as usual.

Sequence of Events

Today(On Dec 7 2022), a series of unauthorized transactions occurred on our main account @upvu. A precise hacking attack was started that precisely targeted the time zone when we sleep (around 5:00 am Korean time).

After hacking the @upvu account, the hacker changed the private key and recovery account, initiated a powerdown, and sent 168,889 STEEM worth approximately $29,640 to an account named @securityfund. This account is a newly created account just before the hacking attack begins.

Hackers, presumed to be Hive witnesses or well-informed users, even deleted our recovery accounts shortly after updating our account information. (Changing the recovery account, even setting it to @null, is possible only for users who have a good understanding of the Steem account system)

As soon as we became aware of the hacking incident, we started responding to recovery. After quickly recovering the @upvu account through the recovery account (@happyberrysboy) set up in advance, the private key was changed through account update, and the current voting service of UPVU and the SP you delegated are NOT AFFECTED in any way.

Due to the high security design structure of the Steem blockchain, even if the account is hacked, the delegated SP is completely safe without any impact.

Protocol Impact

UPVU has completed all recovery tasks and THERE IS NO PROBLEM NOW. The power-down initiated by the hacker has been stopped, and the upvoting is proceeding normally.

However, some of the liquid assets were stolen and the details are as follows.

Total Assets Stolen : 168,889 STEEM (=$29,640)

• Assets belonging to UPVU team : 50,000 STEEM
• Assets to be distributed to users : 118,889 STEEM

We have always kept the liquid quantity to a minimum to minimize risk, but the liquid quantity was exceptionally large to respond to the demand for UPVU token conversion due to the recent Steem Engine hacking issue.

THE SAFETY OF OUR USERS' ASSETS IS OUR TOP PRIORITY.

Therefore, without hesitation, WE IMMEDIATELY COVERED ALL THE HACKED DISTRIBUTION ASSETS WITH THE PERSONAL FUNDS OF THE TEAM MEMBERS.

• You can check recovery fund related transactions here.

Hacker's transaction to liquidation of stolen assets

Hacker is monetizing stolen assets through several channels. Currently, we are working closely with the security teams of Binance, Simpleswap, and StealthEX, and the hacker's Binance account has now been frozen.

We have also referred the police to investigate the incident and will do our best to catch the hacker.

(1) Direct Deposit (24,800 STEEM x 2 times)

(a) Direct deposit to Binance (@deepcrypto8 /memo: 101546624)

• TxID : https://steemscan.com/transaction/4311f0d877e28e31b99a1a73e330de8980a0d7e3

(b) Direct deposit to Binance (@deepcrypto8 / memo: 101546624)

• TxID : https://steemscan.com/transaction/b4fcce5d46933fa56cc0fc6a371a0f1d76d8d261

(2) Indirect Deposit via Simpleswap - 50,000 STEEM
(a) from @securityfund to @swap2020 (this account is deposit address of Simpleswap)

• TxID : https://steemscan.com/transaction/1a1a9406b915c4585bbd474823eb1ee879419ec1

(b) from @swap2020 to @deepcrypto8 (memo : 107104617)

• TxID : https://steemscan.com/transaction/9bd7eb239052aa3f78b07e4643c1dfaa99b0c472

(3) Indirect deposit via StealthEX - 69,289 STEEM

(a) from @securityfund to @exchangeme (this account us deposit address of StealthEX)

• TxID : https://steemscan.com/transaction/e2d847ff76b2f61d7ac02a77ff53d76a37748e25

(b) from @exchangeme to @deepcrypto8 (memo : 100160970)

• TxID : https://steemscan.com/transaction/5141a644890a91657b4f378afa3ba9c00ba70491

Why we assume Hive is behind the hacker

(1) High Understanding of System Design

• Common hackers only target the theft of liquid assets, but this hacker created transactions that cannot be done without a high understanding of Steem's system design, such as setting the recovery account to @null to make recovery impossible.

(2) Using an anonymous DEX frequently used on Hive

_{<Image source : https://peakd.com/wallet/exchanges>}

• Hacker is using anonymous DEXs such as Simpleswap and StealthEX, primarily used by Hive users to monetize stolen assets, making tracking difficult.

Post Incident Plan

• Since the fork of Steem and Hive, Hive witnesses and users have continued to launch attacks with the malicious goal of destroying the Steem ecosystem.

• They have dominated Steem since its genesis, knowing all too well how the system was designed and what the vulnerabilities were in the design, and there are still remnants of tools and apps created by Hive Witnesses (ex Steem Witnesses) and developers. .

• In order to maintain a stronger security level for the UPVU service, we will manage accounts for distribution and reserve separately, and we will apply the multi-sig function to accounts for reserve. (Multisig function is already under development internally, but it is expected to take more time)

• From now on, liquid STEEM curation rewards will be distributed from @upvu.bank account.

Letters to the Steem community

The cause of the hacking is currently unknown, but we will continue to track the cause, and we strongly recommend that all users change their account passwords periodically, even if they are inconvenient.

We are involved with Hive witnesses or developers, but we are still analyzing the source of all tools and apps available on Steem, and we will share it with the community as soon as the cause is revealed.

We sincerely apologize for any inconvenience caused to members of the Steem community. As always, we will do our best to provide safe and stable services on the Steem blockchain, and we will quickly respond to Hive's continuous malicious behavior and win.

UPVU Team

---