This is a referendumV2 whose proposer address (14jLVudzMk7udKvBUdFwPpgQnFKPpE4GxAYRJpEpokBgdmKq) is shown in on-chain info below. Only this user can edit this description and the title. If you own this account, login and tell us more about your proposal.
Following a significant hacking incident compromising Starlay Finance https://twitter.com/starlay_fi/status/1755605617421795560, we are urgently seeking support from the Polkadot community.
The gravity of this situation and its potential repercussions on our users and the broader ecosystem necessitate your immediate support. We aim to explore viable measures to transfer all the DOT from the hacker's account to Starlay's account.
The hack compromised all DOT and LDOT deposits within the Starlay protocol, with significant activities traced to the account 0xe6F6D3cd38e9BF1e118C8Fd1528D303d261BA4F7. The exploitation centered around the Starlay interest-bearing USDC (lUSDC) address, which can be reviewed here.
The exploit was a result of anomalies within the USDC pool's liquidity index calculation, enabling the attacker to withdraw significantly more than their initial deposit after borrowing LDOT. This incident underscores a critical oversight in the pool's maintenance, particularly the failure to update the liquidity index due to prolonged inactivity.
The USDC pool remained devoid of funds for an extended period, approximately 20 to 25 days. This inactivity led to significant timestamp changes, resulting in an abnormally large newLiquidityIndex. The lToken (representative of a user’s share in the pool) balance calculation, which relies on the normalizedIncome derived from the liquidityIndex, became distorted. Consequently, an attacker capitalized on this miscalculation by depositing into the pool, which triggered an unexpected increase in the liquidityIndex to 1,350,009,778 * 10^27. This inflated the attacker’s lToken balance well beyond their actual deposit. The formula used was: balanceOfLToken = rayMul(realDeposit, liquidityIndex) = (realDeposit * liquidityIndex + 0.5 * 10^27) / 10^27. With a real deposit of 20,000,000 (with 6 decimals), the balanceOfLToken escalated to 27,000,195,560,000,000,000. This discrepancy allowed the attacker to withdraw USDC funds after borrowing LDOT (or DOT), despite the initial deposit being significantly lower.
At the launch of the Starlay protocol, three tokens were slated for listing: DOT, LDOT, and USDC. While DOT and LDOT were integrated through the Euphrates initiative, the USDC pool did not receive the necessary attention and remained unfunded. This neglect resulted in the liquidityIndex not being updated for an extended duration, setting the stage for the exploit.
We welcome any assistance, advice, or support you can offer. Together, we can overcome this adversity and strengthen our ecosystem against future threats.Thank you for your attention and solidarity.
SubSquare has posted a request for support from the Polkadot community after a hacking incident compromised Starlay Finance. They aim to transfer all the DOT from the hacker's account to Starlay's account, as approximately 200k DOT is at risk. The hack compromised all DOT and LDOT deposits within the Starlay protocol, with significant activities traced to the account 0xe6F6D3cd38e9BF1e118C8Fd1528D303d261BA4F7. The exploit was a result of anomalies within the USDC pool's liquidity index calculation, enabling the attacker to withdraw significantly more than their initial deposit after borrowing LDOT. The USDC pool remained devoid of funds for an extended period, approximately 20 to 25 days, which led to significant timestamp changes, resulting in an abnormally large newLiquidityIndex. This inactivity led to a critical oversight in the pool's maintenance, particularly the failure to update the liquidity index due to prolonged inactivity.
Threshold
Pff, this referendum is a due diligence nightmare!
Dear @14jL...dmKq ,
Could you help us first by clarifying who are you (on-chain ID preferred) and explaining each of the transfers in the forced batch call?
Please understand that without verifiable information, we cannot be sure you even are blue team!
voting Nay for security reasons until more info is available.