TrustPad Attack Post-Mortem

TrustPad.io
4 min readNov 8, 2023

Dear TrustPad Community,

As most of you know by now, there was an exploit to one of TrustPad’s staking contracts.

First of all, we would like to thank our great community and partners for their unwavering support while we investigated the attack that happened on Monday, Nov 6th.

Summary of Events

On Nov 6th, 2023, a malicious actor deployed a contract and began to attack one of our staking contracts, more precisely the 1095 days IDO staking pool contract.

Timeline of Events on Nov 6th, 2023

15:02 UTC— The attacker deploys a malicious smart contract.

16:33 UTC — By using the malicious contract, the attacker repeatedly manipulated the staking contract by using different methods to in the end withdraw millions of $TPAD tokens from the 1095 days staking contract.

16:34:23 UTC — The attacker starts mass-selling $TPAD tokens on PancakeSwap.

16:40–16:44 UTC — The TrustPad team notices unusual transactions as the attacker sells large amounts of TPAD on PancakeSwap.

16:45 UTC — TrustPad team deploys a warning on TrustPad.io to not trade $TPAD.

16:49 UTC — Team representatives and early TrustPad community members responded by immediately announcing in TrustPad’s Telegram Group, to not trade $TPAD (https://t.me/TrustPad/468104)

17:08 UTC — The team makes a specific announcement to not trade $TPAD, in the TrustPad Telegram Announcement channel: (https://t.me/TrustPadAnn/3007)

The team then immediately removed the LP and also made sure the other staking contracts couldn’t be exploited.

Technical Analysis of the Attack

After throughout investigations by the TrustPad dev team and several independent blockchain security experts; this is how the attack on the staking contract happened:

Root cause: The receiveUpPool function did not verify msg.sender, allowing the attacker to manipulate newlockstartTime.

The attacker repeatedly called receiveUpPool() and withdraw() to collect rewards, then called stakePendingRewards to convert the rewards into staking amounts.

Finally, the attacker withdrew the rewards via withdraw().

Exploiter address: https://bscscan.com/address/0x1694d7fabf3b28f11d65deeb9f60810daa26909a

In total, around $155k was lost in the exploit in the form of $TPAD token liquidity.

However, all user wallets and funds are SAFU. The exploit was solely isolated to that specific staking contract and did not affect user wallets or funds.

We were fortunate that rapid action by the team minimized the damage greatly. Ultimately, this hack was pretty sophisticated in the way it happened. TrustPad takes full responsibility for this and have resolved the security vulnerabilities to make sure these kind of attacks will not happen again.

Snapshot

It is a delicate and complex process to decide what is the fairest way to deal with the users that traded $TPAD after the exploit. Multiple factors will be combined and the final compensation model should be fair to those who did not sell anything, refrained from buying due to the exploit or engaged in buying the dip. We will also take note of the fact that we strictly announced very early on to not trade $TPAD. The team is working to resolve the situation in the most fair and effective way.

The exact snapshot details will be revealed in the next few days.

What’s next for TrustPad — TPAD 2.0

We will launch a new token — $TPAD 2.0. The process of the migration to TPAD 2.0 will now be an even simpler process than we had set before the exploit — it will also happen much sooner than expected.

We would like to reiterate that our team is fully dedicated to the long-term success of TrustPad, and we are sure we’ll come back stronger than ever.

An announcement for the next steps for TPAD 2.0 will be announced within 24 hours. TGE and listing for TPAD 2.0 is planned to happen in the next few days.

Stay tuned.

Conclusion

To our users and our community, we sincerely apologize. You all expect us to deliver at a high level of standards that we have set from day one, and we will do everything to continue delivering at those standards.

We will be working with tier-1 auditors to strengthen our security all around for TPAD 2.0 — by creating sure-fire, multiple-times audited staking pools and delivering other industry-leading practices in protecting our users, to avoid this to ever happen again.

We can not wait to get one step closer to TrustPad 2.0. As mentioned above, the process of the migration to TPAD 2.0 will now be an even simpler process than we had set before the exploit — it will also happen much sooner than expected.

An announcement for the next steps for TPAD 2.0 will be announced within 24 hours. TGE and listing for TPAD 2.0 is planned to happen in the next few days.

One thing is sure; we will come back even stronger from this.

Thank you everyone for your love and support.

Lastly, please reach out to us on Telegram if you have more questions or concerns.

About TrustPad

TrustPad has been founded to aid the growth of the blockchain ecosystem in a safe and sustainable way. TrustPad is proudly partnered with AU21 Capital, Momentum 6, GD10 Ventures, BlockSync Ventures, X21 Digital, Wealth Union, Twin Apex Capital, 4SV, Tokenova Capital, eXnetwork Capital and many more.

TrustPad is different from other launchpads. A ‘quality over quantity’ approach ensures that projects launched through TrustPad have real long-term value. This will provide the TrustPad community with sustainable development, attracting a larger community for both $TPAD and the projects launched on the platform.

Join the TrustPad Community now!

Website | Telegram| Announcement | Twitter | Medium

--

--