I am willing to donate half of the stolen 6.2k aave funds to the community. Or freeze them forever. Just to catch the hacker

Yesterday I posted : My aave tokens are taken away by a hacker, can we use admin key to get it back?

but has got no reply.
I am talking with the support. In the meanwhile I want to start a disscussion to stop the thief from getting the still in cooldown 6k stkAAVE.

I have concluded the hacker only had access to my aave and eth fund. Because I had 7m usd at that address 0x8135908BbcB583D65978acCFe3Da6cA927185Eb1 yet the hacker only took 450k of aave and 3.5eth to his address 0xD7C40C252cAEBfeA30A02cDC648Bf5CF8Cb690e1. I have emptied the funds after the hack. Anyone can check my story.
That means if I am right, anyone who have given permission to aave.com is at rist of losing all the aave and eth.
So I propose to extend the cooldown time of the stolen stkAAVE to prevent the hacker getting funds until the investigation concludes. As according to our policy “The cooldown period by default is 10 days, but this can be further extended by the governance.”, it is possible even without a voting.

I am willing to donate half of the stolen 6.2k aave funds to the community. Or freeze them forever. Please give me your thoughts and advise me what to do. There are 7 days left. After that, the hacker will be able to cash the fund.

Hello Peter,

Every hack is a personal tragedy and I’m deeply sorry for your loss.

The Aave genesis team does not hold any admin key or control the AAVE token contract, after looking at your account there’s no evidence of link between approving the Aave contracts and your situation.

The staking contract has been audited by 2 reputable companies and no vulnerabilities were found. It also continues to securely hold nearly $200M worth of staked AAVE. The actions of the hackers are not originated from a contract.

The actions of the hacker have been directly signed by your wallet private key, hence, the most probable scenario is that your metamask wallet private key has been compromised.

The hacker decided for reasons unknown to all but him to take only your AAVE, StkAAVE, and some ETH, this actor is in full control of your StkAAVE, modifying the COOLDOWN_SECONDS of the safety module will have no effect on the fact that he owns all your AAVE and will not modify the situation in your favor.

To prevent this in the future, I would recommend securing your assets with a hardware wallet such as Ledger. You can find info on their website here

3 Likes

Thanks MarcZeller,
But I am not convinced. I do not believe my private key is compromised as I myself is an IT guy. The hacker would not only take the 400k usd aave with a cool down period while there are 7m usd assets without cool down. And the hacker has started cooldown in order to cash the stkAAVE as soon as possible, and is claiming the aave rewards generated by the stolen stkAAVE, which is only less than100usd. It is obviously not a generous hacker.

Having audited does not guarentee security, just as BZRX did.
If aave could not protect the assets in time while it is still in control by aave, I will utilize every resource I have to start the legal process to sue aave and track down the hacker. Let the jury decide. Because if I am right, everyone’s assets are at risk. The hacker is just waiting for the right time and target. Acturally, this hacking happened just two days before cooldown ends and I would have sold my aave. (I initiated cooldown 8 days before the hacking in order to withdraw the stkAAVE).

As per the https://docs.aave.com/faq/migration-and-staking, “The cooldown period by default is 10 days, but this can be further extended by the governance.” I think the governance has the right to extending the cooldown period to protect the fund. Even the vote is required to extend the hacker’s stkAAVE, we still have time. 7 days. We should have a quick action. There must be a way of doing this otherwise the business model should be banned.

Further, I don’t think cooldown is the cause of being hacked because eth in my wallet was not in cooldown (but maybe eth is different from erc20). The stolen assets have only one common factor: I have given permmission to aave.com to spend. And all the unstolen assets have the same factor: permmission were not given to aave.com

I know many of you may think the hacker might be myself. So I suggest to extend the cooldown at least when we figure our a way to clear all things out. I can reveal my identity. I am just a software engineer. Besides, what I can gain from a permernent cooldown, why I take the trouble to move out all the funds after the hack?

Not personal, MarcZeller. Thanks for any discussion.

1 Like

Hello Peter,

Please be advised there is evidence that your wallet and/or private key was compromised. The transactions were performed and signed by your address. Thus it follows, either you performed these transactions, or someone used your private key.

Furthermore, your assertion that your remaining tokens were not stolen and thus this is proof of a hack, does not hold water. Actually this was likely because etherscan shows those tokens with a $0 value. The hack you have suffered is not technically complex, as it only requires access to your private key or wallet.

Regarding your statement that the transfer was performed from Aave protocol or contract, this is wrong the token transaction is a “transfer” function, which can only be triggered by your own address:

If this was performed based on the allowance for a contract it would be a “transferFrom” function instead.

In addition ETH is not an asset you can allow a contract to transfer on your behalf so not even Aave contract could perform an ETH transfer by allowance as you propose:

You did not give permission to AAVE to transfer your ETH, this is something not even technically possible as ETH does not act as an ERC20 token does, so both stolen assets does not share that in common.

About the suggestion of extending the cooldown indefinitely as you propose until things are “cleared out” unfortunately the issue here is that it is actually impossible to clear out that it was you or other person just by revelating your identity, the transaction was performed by your address, by you or not, on purpose or not, there is no way to proof the legitimacy of the act just by providing further information, even with this we are not able to do such change or take such action, as aave protocol is decentralized and admin keys are in Aave token holders hands so it is something available to be proposed and voted over governance but based on previous facts it is a decision that would be totally arbitrary as it is not possible to proof the legitimacy or not of the hack.

3 Likes

Hello MarcZeller, thanks for your reply. Let me reply to you and use ===> and <=== to indicate my reply.

Please be advised there is evidence that your wallet and/or private key was compromised. The transactions were performed and signed by your address. Thus it follows, either you performed these transactions, or someone used your private key.

==》No, that is why we need to investigate and figure out who and how did it. That is why hacking happens. Something only hacker knows and is able to do until further investigation concludes. Like when a bank is hacked, you could not say only the bank employee can do.
<=======
Furthermore, your assertion that your remaining tokens were not stolen and thus this is proof of a hack, does not hold water. Actually this was likely because etherscan shows those tokens with a $0 value. The hack you have suffered is not technically complex, as it only requires access to your private key or wallet.

===>A hacker would not miss the money in a wallet. Most of the ERC20 token’s value in etherscan is $0 value, and even in the transaction the hacker stole 6k aave from my address to his shows the value is $0 too. But any one without any experience can check the balance of any address in any of the defi investment tools such as zapper.fi or debank.com or zerion.io, etc.
<======
Regarding your statement that the transfer was performed from Aave protocol or contract, this is wrong the token transaction is a “transfer” function, which can only be triggered by your own address:
https://etherscan.io/tx/0x7df929d246e27bbd6c2dfdba5fd1b5f78fa6ef3c09a91f439e4d7a78c6165b98

If this was performed based on the allowance for a contract it would be a “transferFrom” function instead.
===> Yes, you are right. That is why we need further investigation to know why the hacker can do this. Although I am a software engineer, I am new to smart contract so I need time to learn more about this.
<=====
In addition ETH is not an asset you can allow a contract to transfer on your behalf so not even Aave contract could perform an ETH transfer by allowance as you propose:


===>ETH does not need to give permission, that is, does not need to “allow”,as if it is already “allowed” in default, right?
<====
You did not give permission to AAVE to transfer your ETH, this is something not even technically possible as ETH does not act as an ERC20 token does, so both stolen assets does not share that in common.
====>I tested in aave.com, that only AAVE and ETH can be spended (actually I tested deposit) without spending limit permission. ETH does not seem to need to give permission. Therefore the correct words should be: both stolen assets (AAVE and ETH) share in common that spending permission does not need to be given to AAVE.COM when AAVE.COM spends them.
<=======
About the suggestion of extending the cooldown indefinitely as you propose until things are “cleared out” unfortunately the issue here is that it is actually impossible to clear out that it was you or other person just by revelating your identity, the transaction was performed by your address, by you or not, on purpose or not, there is no way to proof the legitimacy of the act just by providing further information, even with this we are not able to do such change or take such action, as aave protocol is decentralized and admin keys are in Aave token holders hands so it is something available to be proposed and voted over governance but based on previous facts it is a decision that would be totally arbitrary as it is not possible to proof the legitimacy or not of the hack.
====>It can be cleared out this way: you must have noticed the hacker has initiated cooldown and is actively claiming the aave rewards everyday. It is clear he is anxious to cash the stolen assets. If we extend the cooldown, he will have to reach out to aave in order to cash the fund. Then aave can explain and identify who he is. If he never shows up then he is the hacker. Then we can discuss what to do next.
With all this, if aave could not protect the fund, I will report to financial authority and sue aave at the court of law. This is not a way of doing business. Even the admin keys are in governance’s hand and need a vote, then did aave initiate the vote? Even the vote denies my proposal, there must be a way to deal with such issue. Otherwise this business model should not exist.

Further I would like to add two new suggestion. 1.To deposit 1m usd in aave as collateral. 2. Donate the funds to any orgnization, include Charities. Aave can name one. Thus, I have provided four suggestions to earn your (AAVE’s) trust. To sum up:
1)Donate half of the stolen tokens, which is about 220,000usd.
2)Freeze them.
3)I provide collateral about twice of the stolen tokens. If I have any wrong doings or cause any harm to AAVE, the collateral will be disposed by aave.
4)Donate part or all of the funds to any organization under AAVE’s discretion and public monitoring (to ensure the fund is actually be donated to the organization). I suggest to donote to UNICEF (www.unicef.org). Please help me to fulfil this dream. It can be executed by AAVE so make sure the fund is going to UNICEF.
Hope we do not have to go to the police or court or financial authority just because of a hacker. Or you and your team can figure out any ways to do so. I will cooperate.

Even if my wallet is compromised, AAVE.com as a financial service provider, has responsibility to protect client’s assets. After all, hacking is a crime, if it completed because AAVE’s inaction, AAVE might become an accomplice of the hacking crime.

Thank you again and let us hurry up.
<====

1 Like

Dear Peter,

We are happy to help you to clarify what happened, but as pointed several times, this is not something to do with Aave, your wallet private key or wallet was compromised. Regarding the funds not taken, this is not something up to a subjective evaluation, the hacker actually missed those funds, stkAAVE shows its value in etherscan as you can see:

The liquidity token you moved valued in 4M$ shows none value in etherscan:

But anyway this is not something subjective, as pointed the wallet is compromised, tokens were moved with “transfer” and ETH was moved (it does not have any allowance possible) those movements were performed by your address.

Both transactions performed as previously communicated were performed by your address, the stkAAVE is a “transfer” function, is not based on any allowance.
And regarding ETH, ETH is not an asset you can allow as an ERC20 token, you can’t give allowance to an address to move your ETH, Aave protocol has not allowance to move your ETH on your behalf, it is technically impossible, your ETH was moved by your address as it is compromised, same way as your tokens.

About your request about extending the cooldown, Aave genesis team can’t extend the cooldown by itself or take any actions, admin keys are in aave token holder’s hands and any change as that requires an on-chain voting process to happen.
Also as pointed in previous communications, your wallet is compromised is impossible to prove the legitimacy of the hack, it was done by your wallet address by you or by someone with your private key or wallet access.

About the suggestion of donating, freezing, providing collateral, or any other similar action, any of those not prove the legitimacy of the action, it is not possible to demonstrate based on the transactions that is was a hack or perform by yourself based on an agreement between parties or any similar action so none of these suggestions help or solve this in any sense.

Aave protocol is decentralized thus us as genesis team we have no responsibility over this as we’re not a custodian of your assets.

Hi,
A real hacker wouldn’t let the farm token and drain every coins from the wallet of peter!
I also vote against a proposal who freeze my Stkaave indefinitily as everyone here i think.
IMHO peter is a troll and he works for compound!
Checkmate!

I am so dissapointed and I just reiterate my four suggestions again. Anyone can have his/her own judgement just as the jury will have too.
1)Donate half of the stolen tokens.
2)Freeze them.
3)I provide collateral about twice of the stolen tokens. If I have any wrong doings or cause any harm to AAVE, the collateral will be disposed by aave.
4)Donate part or all of the funds to any organization under AAVE’s discretion and public monitoring (to ensure the fund is actually be donated to the organization). I suggest to donote to UNICEF (www.unicef.org). Please help me to fulfil this dream. It can be executed by AAVE so make sure the fund is going to UNICEF.

Add a fifth:
5)suggest to have a third part to give an investigation and expert opinion.

Now I am not coming back regularly because I am busy on destroying aave and build better ones and get to the truth why my 6.2k aave tokens were taken.
As a software engineer and having the experience of investing in crypto currency for 9 years without been hacked even once, I promise my key is not compromised.

Anyone can contact me to join by twitter @sanmao32 or email s_mao3 at yahoo.ca. The 8m usd (as eth rose recently, it has become over 8m) rescued from that hacked address will be a fund dedicated to this cause. If necessary, more funds will come.

1 Like

Hi @MarcZeller
I am looking up the transaction record. I have found that in the transaction https://etherscan.io/tx/0x7df929d246e27bbd6c2dfdba5fd1b5f78fa6ef3c09a91f439e4d7a78c6165b98/advanced
That the hacker transfered my stkAAVE to his address, there is a internal Txns, would you please explain to me what is that ?

Thank you.
Peter

In the hope, that these endless postings end, I have checked etherscan myself. What I found is pretty interesting:

Your address: 0x8135908BbcB583D65978acCFe3Da6cA927185Eb1
Other address: 0xD7C40C252cAEBfeA30A02cDC648Bf5CF8Cb690e1

In tx https://etherscan.io/tx/0xe0368d0e91825cd9966e9fea3ff374aa4aefea1edbaf01575c99026df1323fa5 6231 staked aave tokens were transferred from the other address to your address.

Exactly the same token amount was transferred back from your address to the other address in https://etherscan.io/tx/0x7df929d246e27bbd6c2dfdba5fd1b5f78fa6ef3c09a91f439e4d7a78c6165b98.

So, where is the problem?

Yes, @cryptix, the hacker took 6231 stkAAVE
from my 0x8135908BbcB583D65978acCFe3Da6cA927185Eb1 to his 0xD7C40C252cAEBfeA30A02cDC648Bf5CF8Cb690e1,
and then not so long, transered back to my 0x8135908BbcB583D65978acCFe3Da6cA927185Eb1,
and 14 hours later, transfered back from my account to his 0xD7C40C252cAEBfeA30A02cDC648Bf5CF8Cb690e1.

The eth followed the same pattern.
The problem is that all these transactions were not done by me. I was sleeping when the first transaction happened. Phishing is not possible. And when the last transaction happened, I realised something was wrong and contacted AAVE support.

I could not figure out why he did this but that means he at least controlled my account for 14 hours. He definitely had time to figure out I had 7m usd in that account. But he did not touch.

But now, I think the first time he took the fund in order to see if he was able to take the fund. He transfered the fund back to my account in hope that I would not be alerted of hacking so that he can have time to see if he can take my other money. Then when he tried 14 hours and found he could only take stkAAVE and ETH, he did that and went away. Just my guess.

Also be advised that, it took me 6 hours to empty my account (after the last hacking transaction), the hacker was just sitting there without any actions. Because he could only take stkAAVE and ETH, which do not need approval.

Again, can you demonstrate that you didn’t do these transactions without any shed of doubt, besides the “I was sleeping”? Because your whole argument is completely useless otherwise.

On a side note, can you disclose what kind of wallet were/are you using at the time of the hack?

@TheDoo I know it is diffiuclt to demonstrate so I suggest I am willing to risk another 10000usdt in my account to see if the hacker can take it. But aave team said even that can not prove as it might be myself. So I came up the suggestions to earn the trust. Why would I sugggest to donate the whole fund directly by the aave team then if the hacker is me myself? What I gain from all this trouble besides losing half million usd?
That made me even much madder as if most of you here are out of mind, not just the aave team. I am fighting here for you too. After all, I am donating to this community (freezing them is same as donating as the circulating aave decreases).
Or any ways you can suggest? I will cooperate and thank you. Because that might bring me a closure.

@TheDoo, Oh, I did send the screenshot of my metamask activities to aave team to let them check what are real, my activities and what are hackers (those in the etherscan but not in my metamask activities). From Sept.2 until I emptied that account.
The only possible activity which triggered this hack is staking aave and then cooldown(unstaking aave).

@TheDoo metamask
I am not active in trading as you can see from the activities before hacking. Only when the farm yield is large enough and I come to yield or adjust farm strategy. And when I do any transaction, I double check everything.
By contrast, the hacker is collecting aave yield almost everyday. That is clearly not my activity pattern.

Metamask without a hardware wallet???

1 Like

Any other development on this issue? If what Peter says is true, this is very weird indeed.

@clouds The hacker has sold AAVE and transfered to tonado, which made it impossible to trace. It is a professional hacker. All I said can be confirmedd in blockchain.
I have gone over eveything over and over and the conclusion is that when I staked aave or unstaked stkAAVE, the aave.com website got a chance to get something from me, enabled it to be able to take my stkAAVE and eth. I only know when and where, but not know how and who.
Yesterday, I transfered some usdc,usdt and others into the hackered address, and they are safe.
I am still working on it…

Have you started a legal procedure?

No, I can not take the risk of corona. There are two years during which I can take legal action. Waiting for the end of corona and travel to London to sue them. If anyone in London can represent me, you are welcome to contact me and will be fully rewarde. This is suit of 6300(aave tokens)*500(current price)=$3150000.