1) What happened on March 5th, 2021?
On Friday, March 5, at 20:00 UTC+2, an attacker exploited the PAID Network deployer contract to steal over 59 million PAID tokens and was able to sell 2,501,203 PAID tokens for 2,040.4339 ETH on Uniswap, before the PAID team stopped further selling by pulling liquidity from Uniswap. A post-mortem on the attack can be found here for review.
2) Was your smart contract hacked? Was the PAID DAPP or Ignition platform affected?
No, the smart contract code remains secure, as attested by Certik in their Updated Post-Mortem Report. Contract functionality worked as designed. The attacker exploited an old compromised private key to access the smart contract, not a vulnerability in the smart contract itself.
Neither the PAID dApp nor PAID Ignition platform were affected in any way. The Ignition platform swap contracts are created for each project and have nothing to do with the PAID token other than checking the balance of this token.
3) How do upgradable contracts work and how do owning private keys give you access to minting functions? How did this lead to the hack?
Upgradeable contracts let you improve a smart contract over time, without requiring users to switch to a new contract with every update. They are owned by an address, which has the power to change the smart contract. Whoever owns the private key to an address, effectively owns that address.
When the private key in question was compromised, the attacker gained access to the upgradeable contract, and used that functionality to create new minting functions in the PAID v1 token contract. Because the PAID total token supply is hard coded, the attacker could only mint a total of 59,471,745.571 PAID tokens, which is why the attacker first had to burn 59,471,745.571 PAID tokens.
They then executed the mint, sent the tokens to an address they controlled, and proceeded to sell the minted PAID tokens on Uniswap.
4) How was the private key leaked?
The responsible party (who is not part of the PAID core team, and whose identity will not be disclosed at this time) shared a PAID private key in a non-PAID repo owned by a 3rd party, who subsequently made this repo public. At this time, we have no reason to believe that any of these parties acted maliciously.
The PAID Network core team had no control over this repo, and was unaware that the private key in question had any ownership of existing PAID token smart contracts. It was thought that all admin rights of this private key were automatically revoked when transferred.
5) How will the PAID v2 tokens be airdropped? How does the distribution process work?
The PAID v2 token distribution has be done via airdrop. No user action is required to receive your PAID v2 tokens (other than adding a custom token to your wallet to view your new tokens).
There will be two main airdrops. The basis of the first airdrop is a snapshot of the PAID v1 token ledger immediately before the attacker began selling PAID on Uniswap, taken at block 11979858. The airdrop will distribute PAID v2 based on the wallet balances in the snapshot. This distribution has been completed.
The second airdrop will be based upon the trading activity in the hours following the hack. In the interest of community solidarity, the PAID team is compensating users who purchased PAID tokens within the 4 hours following the hack, which occurred on Friday, March 5, at 20:00 UTC+2, using PAID v2 tokens from the PAID staking rewards pool.
The precise calculation of the number of PAID v2 tokens airdropped will be based on the dollar value of the v1 tokens at the time of purchase.
Again, no user action is required to receive PAID v2 tokens, they will be airdropped directly to your address.
To be clear, there will be no “penalty” for anyone who sold in a panic following the attack. Their balances will be restored as reflected in the snapshot.
6) I have my PAID tokens on Gate.io. Will I be airdropped PAID v2 tokens?
We are working with the Gate.io team to airdrop PAID v2 to holders who stored their tokens on Gate.io. This airdrop will take longer to complete, as it is dependent on working with Gate.io’s team.
7) I’m staking my PAID tokens on LaunchPool and/or Unifarm. Will I be airdropped PAID V2 tokens?
If you had tokens staked on LaunchPool, you were airdropped your tokens. Please see LP's telegram channel for more details. Unifarm has received tokens and is working on distributing, please follow their telegram channel for updates.
8) Is there anything different about the token? What will happen to PAID v1 tokens?
There is no difference in the utility of the v2 token for the PAID dApp or Ignition. The only difference between the tokens is that the v2 token in essence erases the attacker’s theft.
PAID V1 tokens will be phased out as PAID v2 tokens become the new utility token of PAID Network & Ignition.
9) What is the PAID core team doing to ensure this never happens again?
First, we are engaging industry experts on key management best practices. Second, we will move control of the PAID smart contracts to a multisignature wallet, so that PAID Network will never again be compromised by loss of a single private key. Third, we have already engaged with industry experts to enhance our security and establish a culture of vigilance, beginning with comprehensive security and process audits.
As a demonstration of our appreciation to all PAID holders that stood by us through this trying time by not buying or selling PAID tokens, following our instructions to not transact at 21:20 UTC+2, PAID Network will be awarding 1 lottery ticket in each of the three upcoming IDOs. Details here.