In light of a resolution provided by VeChain, Ben Yorke sat down with Fabian from VeChainStats.com, the community developer who played a key role in controlling damage during the theft.
Note: For those of you not aware, a little over a week ago, funds were stolen from the VeChain Foundation’s private buyback wallet. Fabian, who uses email notifications through the Wallü dApp he created, gets instantly alerted whenever a large transfer goes through. After recognizing something was amiss, he contacted the Foundation and with their approval created a dynamic blacklist which they shared with exchanges to prevent such a large amount of VET from being dumped on the open market. A few days later, the Foundation updated the VeChainThor mainnet to prevent block validators (Authority Masternodes) from processing transactions sent out by the wallets under control of the thief. This was a more permanent solution to simply working with exchanges, but in keeping with the decentralized nature of a public blockchain, a vote was needed to confirm the permanent implementation of the upgrade. All Economic and X-Node holders could vote to “Agree” to a permanent block list, or “Disagree”, freeing up the stolen wallets to operate as normal.
Between December 25th-30st, all node holders will be eligible to vote. For more information on the vote, refer here.
Update: Originally, VeChainStats.com made it possible to monitor the results of the voting. However, a large quantity of “Disagree” votes were sent from ineligible addresses (Only votes from node-holders will be counted). At the time of posting, eligible “Agree” votes were drastically leading eligible “Disagree” votes.
BY: Hey Fabian, busy week?
Fabian: It was a blast of a week, I need a few days to recover from the sleepless nights and marathon around this theft. Anyways, hello Ben, thank you for allowing me to answer some frequently asked questions around the VeChain theft in this interview. As we run into the Christmas holidays I’ll try to keep it short as possible – although that might be really hard :-).
BY: How are you feeling about everything?
Fabian: The VeChain Foundation did an incredible job of tackling this theft. Also, I was more than surprised that my rapidly developed blacklist and tracing system was quickly used and adopted by Exchanges and officially used.
BY: Let’s go for a quick recap of the theft. How much was taken, and how much was recovered?
Fabian: That is a tough question. Basically, we need to divide the funds of the heist into on-chain held funds (that got temporarily frozen) and funds that hit exchanges (got deposited). On-chain wallets can be permanently blocked from transactions – what will most likely be the first governance voting involving the VeChain community.
From the initial stolen 1.164.340.156 VET worth roughly 6.6 million USD (at the moment of the heist), the exact amount of 727.593.289 VET and 47.528.128* VTHO are currently frozen.
From my view, I can not claim nor calculate how much of the deposited funds have likely been seized/confiscated. That information is of course important for further investigations and redemptions are still an open and ongoing process. The community should have faith in the fact that exchanges were doing their very best to prevent illegal activities and usage of the stolen funds.
The CEO of KuCoin also stated on twitter that they actively were working together with VeChain. Kucoin saw the most significant incoming transfers in total amounts.
A funny side story:
There was a honeypot placed in the original buyback wallet that we marked “whitelisted” on purpose. To explain it quickly, the thief tried to re-use the original buyback wallet to avoid the blacklisting and tested first with small amounts (which we did not blacklist), meanwhile the VeChain Foundation developed a script/tool that was able to instantly transfer out received funds (They obviously still had the private keys for that compromised wallet). After the thief tried to transfer in a larger amount of VET, the script was triggered and the stolen VET was sent to a new secure wallet in the very next block (altogether, he moved 13 mln VET worth 70,460 USD into it, that we were able to recover). See: https://vechainstats.com/account/0x530053beb2e61e98770718e6c3e907dd7e7b478e/
BY: That’s a really cool story. Anyways, I see a lot of people asking… Are any innocent wallets at risk? How did you determine which wallets were blacklisted?
Fabian: No! Absolutely not. We perfected the blacklist using on-going simulations I spent during the entire time (endless hours) designed to prevent misconduct of the blacklist. The biggest fight was to train the blacklisting processes and algorithms to prevent this harmful dusting vector from flagging innocent wallets. In the end, we accomplished our goal of only blacklisting accounts related to the thief. In addition, VeChainStats.com was giving the VeChain community live outputs about the status of the wallets. Hundreds of community members were actively monitoring and following how wallets got live tagged (and marked) in the provided account viewer.
To shed some more light into the dark: To be blacklisted several criteria needed to be hit, and additional filters correlating to certain time frames needed to be fulfilled.
The thief tested the deployed blacklisting process many times – he even tried sending transfers (like 50k VET) to the Binance cold wallet directly from a blacklisted account. Those tests failed – meaning no false-positive occurred. The community can check the last transfer to the Binance cold wallet: https://vechainstats.com/account/0xd0d9cd5aa98efcaeee2e065ddb8538fa977bc8eb/
Furthermore, it should be noticed that the official VeChain blocklist of currently 469 wallets are not decided or provisioned solely by VeChainStats. The VeChain Core Team used their own tools to determine polluted wallets and make an official blocklist. I’m certain that they cross-referenced and checked against the published blacklist by VeChainStats.
A rendering of the thousands of accounts created in the theft.
BY: That’s good to know. Were there any interesting statistics from the theft?
Fabian: Hmm.. let’s see. The thief archived a nice run and throughput in creating new wallets and moving (hopping) funds to avoid (unsuccessfully) the blacklisting process. Here’s some data:
VET transfers 2019-12-14
Total VET transfers:
284 related transactions
1.042.231.700 VET moved
VET transfers 2019-12-15
Total VET transfers:
108 related transactions
519.182.001 VET moved
VET transfers 2019-12-16
Total VET transfers:
5 related transactions
6.650.000 VET moved
VET transfers 2019-12-17
Total VET transfers:
10.496 related transactions
198.985.136 VET moved
VET transfers 2019-12-18
Total VET transfers:
9.799 related transactions
450.264.131 VET moved
Total created accounts (by VET transfers):
8.861 wallets
BY: Wow, sounds like he kept himself busy. What fallout do you think will there be? Can hacks be avoided in the future?
Fabian: The VeChain mainnet, official wallets and all related services have always been 100% secure. On the opposite and as sadly it sounds, hacks and thefts are common in the blockchain industry. We can call this almost a stigma that no blockchain (project) can avoid; at a certain point a hack, stolen funds, or some other mishap is bound to happen. I would say this is the problematic downside of decentralization – of course this is a really critical statement.
BY: There were several graphs you showed, is this something we are going to see more of in the future with VeChainStats?
Fabian: Well spotted. There is a bigger upgrade I’m making for VeChainStats to improve the user experience and data analytics possibilities. For a while now, I have been actively in touch with the ZoomCharts team. From my personal view, they offer one of the most professional chart engines to fit my needs. Please do not nail me on a release date for the big update, as I am no fan of “pre-announcements”.
BY: Can you give some insights about the DDoS attacks to VeChainStats?
Fabian: Sure! A surprisingly advanced DDoS attack started on the second day (2019-12-14) against the VeChainStats blacklist. Cloud instances (droplets) of several well-known cloud providers got used for those attacks. The unknown entity that started this DDoS attack was not attacking the main website of vechainstats, rather than “only” targeting the provided live blacklists of vechainstats.com. The DDoS attack stopped after a total of 41mln requests and +140gb unblocked/unfiltered traffic on 2019-12-18.
BY: Anything you want to say to the community?
Fabian: Thank you VeFam! It was an incredibly tough time and we will come out stronger. I wish everyone a beautiful holiday season.
BY: What are you going to do in the future? Do you have any plans to create a business or take your blacklisting system further?
Fabian: On a personal level I am always striving to expand my knowledge and I see with the expected adoption of blockchain applications a requirement for innovative approaches in using data analytics. At this stage, I do not want to disclose too many ideas, but I am driven to create more value and a data-driven business model in the long run.