PEP - [EXPRESS VOTE] Return $USDC fees from exploit to GMBL Computer team

Proposal Number & Name
PEP - [EXPRESS VOTE] Return $USDC fees from exploit to GMBL Computer team

Abstract

On Sep-05-2023 at approximately 11:00 PM +UTC, the GMBL.Computer house contract was exploited and 8.1 million $GMBL tokens were stolen.

IMAGE 2023-09-06 3:42:01 pm1280×584 92.3 KB

The exploiter swapped these funds through ParaSwap in four different trasnactions and did not account for surplus, resulting in the following fees being generated and sent to the ParaSwap Fee Claimer contract (50% for ParaSwap DAO and 50% for the partner):

• tx1: 198.223716 USDC surplus

• tx2: 243,631.169124 USDC surplus

• tx3: none

• tx4: none

As ParaSwap fee flow is automatized, the resulting 121,914.696 USDC [(198.223716 + 243,631.169124) / 2] were swapped to 74.77379771 ETH in this transaction Arbitrum Transaction Hash (Txhash) Details | Arbiscan

We are looking to recover the funds that were sent as fees, so we can return them to our LP and make our investors whole.

How was this exploit even possible?

At first glance, we understand this looks suspicious. Even peckshield at first assumed this was a private key leak, but it is not. Access to the server where the private key that controls the withdrawals is highly restricted, and no one with access was compromised.

So, how was this possible?

To understand this, you have to first understand our referral system. If i refer a user, and they place a bet, I am able to claim 5% of their losses, available instantly through our platform in our native $GMBL token and added to your in-game balance.

The user was able to place “ghost bets”, where the server was registering their bets of enormous size [multiple millions of $GMBL] - and since the bets were being registered and could not be won [because they were fake bets] they were automatically registered as losses.

The exploiter could then withdraw these funds through the wallet that referred them.

What did we do in response?

Before launching, all our contracts were audited by Halborn.

We were able to pause the contract from deposits and withdrawals once we knew an exploit was underway, and we paused the game as well.

Shortly after the exploit, our community was able to find the user who did the exploit, because the exploit was unsophisticated and unplanned - the wallet they used was extremely doxxed. This person had reported bugs to us during our beta, and was given whitelist for our presale in return for his services. But this also meant, in hindsight, he was familiar with our backend routes through which he was able to conduct the exploit. We were able to contact the exploiter immediately, we put together a war room with very legitimate people in the crypto space who helped us navigate the situation. All of the above can be seen on our Twitter

We prioritized recovering whatever the exploiter offered to recover something, and are now pursuing legal action against the exploiter for the remainder as he refuses to send us back any more, keeping 50% as a white hat despite the industry norm of 10% which we are happy to give.

Current situation

The GMBL/USDC Camelot LP still has approximately 900k USDC in liquidity, and approximately 400k USDC has been recovered from the exploiter. Negotiations are ongoing for the remainder of the exploit, but the GMBL team will likely have to pursue legal action as the exploiter is no longer cooperating.

Speed is critical in this proposal, as we would like to re-launch the platform with as much of the original liquidity as possible for the users affected by the exploit.

Our platform runs on the GMBL token, so without all the liquidity we can recover back, we are forced to delay a re-launch.

Goals & review

The goal of this proposal is to recover the funds sent to ParaSwap in form of surplus that were the result of the GMBL exploit, which will go right back into the GMBL/USDC LP.
The funds were 121,914.696 USDC originally and later converted into 74.77379771 ETH

ParaSwap did it’s job in this situation, and has no responsibility to return any funds. The only reason we ask for a return of the funds is because it directly impacts our users, who have invested over 2.3 million in our protocol and were the most affected by this exploit.

If we can recover all or part of the funds, we will get one step closer to fulfilling our responsibility to our community and investors.

Voting time

Due to the urgency of the situation, we ask for an express vote of 72 hours instead of the typical 5 days

Voting Options

• For
• Abstain
• Against

Thank you,

The GMBL Computer team

Hello.

I don’t understand the amount you’re asking for.
If we go back to the paraswap dashboard of protocol revenues, we have a day at 66k but certainly not 121k?

I must have missed something. Can you explain?

OK 50/50 partner and paraswap. Clear for me.

Why should Paraswap be held responsible for the failure of your code? Paraswap is in no way responsible for the malfunction of your protocol; it simply fulfilled its swap task

Hello
It is important to acknowledge that ParaSwap has fulfilled its intended purpose and acted in accordance with its designated functions. However, it is equally essential to clarify the actual amounts of ParaSwap’s revenue and partner fees to ensure fairness.
I am open to the idea of assisting GMBL in overcoming this challenging period and potentially allocating a % of the revenue. The goal would be to ensure a win-win situation for all parties involved.

My answer is not “For” or “Against”, It will be ‘FOR with the condition of a percentage to be defined.’

Hello,
First sorry for your lost.

I understand that it’s not easy at all to recover funds and do things right. But blockchain is transparent and it’s weird to see that:

• In the contract the withdraw require the signature of a “whitelisted signer” address, only one address is whitelisted:
  
  

  Capture d’écran 2023-09-07 à 12.23.12942×506 25.6 KB

As this address is not a vanity address, the private key is almost impossible to find.
This address doesn’t have any activity

Capture d’écran 2023-09-07 à 12.26.341930×1336 94.5 KB

• The contract has been deploy 1 day before the hack.
• You didn’t even pause the contract to prevent the hacker to continue stealing funds neither removed this whitelisted signer.

I don’t have any answer yet regarding this proposal, just adding fact but I’m wondering how did you get hacked :

• did you put the private key of this signer in clear on your front-end?
• did one of your team used the private key to hack your own protocol?
• did the hacker was able to generate the private key in less than 24h ?

I was also looking at the same stuff, following the same contract and found that really intriguing, not saying you hacked yourself but from a viewer perspective it looks a lot like it comes from the inside.

To put some context here, It’s also worth mentioning that your website is a non regulated online gambling casino launched only 2H before the hack.

This seems suspicious to me and it raises doubts, we are not the police, it is not our role to decide and it’s not even our role to investigate.

Either way, I look forward to hearing your arguments.

I totally agree with @enerow @GazkBZH and @Xutyr
To my mind, this is a very suspicious “hack”, and seems to come from the inside.
Paraswap did its job, not more.
I don’t see why any fund should be returned for now.

Right now, if I have to vote, it’s “Against”.

It looks more like a try to clean some dirty ETH than a “fair hack”.

As this subject clearly needs more time to be clarified, it is perhaps worth pointing out that the use of the ‘PEP’ format and these shortened deadlines must be carried out under certain conditions, which this proposal does not appear to meet.

As a reminder:
For a proposal to be an Express Proposal, it has about one of the following:
- Mitigating any vulnerabilities that might trigger system abuse related to PSP
- Addressing events that might lead to critically low amounts of PSP liquidity.
- Responding to outside circumstances that affect the PSP systems, such as partners of the PSP system being compromised.
Source

I can understand the GMBL computer team’s sense of urgency, but I agree with the opinions above on the need to study the environment of this proposal.
Following this I think it’s better to go with the ‘PIP’ format.

I agree with you.

I think we should rename it to PIP format to keep already posted important informations/posts, not create a new one.

Hello, to answer your questions:

• did you put the private key of this signer in clear on your front-end?
  NO - this private key lives on the server. We know exactly how the exploiter was able to exploit the protocol, and I have updated the main post with this information to make it clear that it was not a private key leak, despite first insticts

• did one of your team used the private key to hack your own protocol?
  NO - we know who did this, and have recovered 50% of the funds from the exploiter

• did the hacker was able to generate the private key in less than 24h ?
  NO - again, this was not related to a private key leak

I have updated the main post with full details of the exploit. Apologies, i should have had that in sooner.

The entire premise of our protocol is that we are a DeFi protocol that generates yield by giving all profits generated from casino games to stakers.

For this reason, we feel we have a strong regulatory advantage in the space, because we are not technically casino operators in the traditional sense if we do not profit from casino games themselves. None of the Core Contributors are allowed to stake.

So - the regulatory advantage we have been advised we can defend from a legal perspective is because of the protocol design.

I have updated the main post with full details of the exploit. Apologies, i should have had that in sooner.

I doubt that when it comes to regulation, belief is a necessary insurance policy.
You remain unregulated for the time being.
Today, it’s hard for Paraswap Dao to be complacent and offer support to unregulated casinos.

As far as your hack is concerned, there are still some grey areas. Is your white hat turning into a black hat?
You whitelist him, but he’s the only one on the list? And he’s the one with the right to withdraw from the contract?
The abuse of phantom betting seems really phoned-in and predictable.

Personally, I’m more than a little uncomfortable with your story.

The explioter was whitelisted for the presale, along with thousands of other people for reporting bugs or trying our beta. The whitelist has nothing to do with access to the platform, other than he was able to buy the presale. The reason I mention this is because he was familiar with our routes when he tried our beta and reported bugs. Then he found an exploit when we were live.

Yes, he refuses to return any more of the money - white hat, black hat, it gets weird here, since he did give back 50% - we are just trying to get more from him. We offered him 10%, in return for the funds - since he will not give us back 90%, we are pursuing legal action in turkey, where he resides.

I have no answer in regards to the phantom betting thing - it was a big oversight on our part. I have linked a post from cryptogle who we are working closely with to recover the funds, hopefully proving this was not insider [he is a well known good-actor who helped the euler team get their $200m back]

If I had to translate the situation:

A man swindles a casino (in this case, yours), takes his loot to, say, Western Union (Paraswap) to change the (stolen) dollars into euros. Western Union takes its usual commission for this service.

The next day, the casino’s managers go to Western Union to claim the commission generated for the service rendered, since the funds were stolen.
I don’t think that in this case Western Union is obliged or even should reimburse the fees for the service they rendered as a merchant (moreover, it’s not up to the merchant to check where the funds came from, that’s not their role).

However, we could discuss a possible percentage as proof of good faith or solicitude, but this remains to be defined with the DAO.

Why are you guys so against giving back stolen money? Seems like the right thing to do. A lot of people got hurt by this don’t think we should be selfish and try to keep stolen funds.

Nathan (who joined 52 min earlier) seems to disapprove what is always reasonable: doubt.
I don’t know how to take this into account. ^^’

Hello nathan, looks like you just joined the gouvernance forum few minutes ago, who are you? could you at least introduce yourself to the community?

Correct, this is why i added this:

"ParaSwap did it’s job in this situation, and has no responsibility to return any funds. The only reason we ask for a return of the funds is because it directly impacts our users, who have invested over 2.3 million in our protocol and were the most affected by this exploit.

If we can recover all or part of the funds, we will get one step closer to fulfilling our responsibility to our community and investors."

ParaSwap has no obligation to help us here. But we have to ask

Hello, I agree with the general opinion, I am against the return of funds. Paraswap does what it is created to do, give the best exchange rate. If we start to reimburse all the hacks, Paraswap risks losing its skin.

GM all, I also agree with paraswap as infrastructure doesn’t have to reimburse even if it was a hack. Imagine another scenario if the trade routed to another dex aggregator, then GMBL will also try request to reimburse. As an infrastructure paraswap done it job and nothing else.

sorry for the broken english, english is not my first language.