Minterest Security Incident Documentation

This Gitbook serves as a comprehensive documentation of the security incident that occurred on July 14, 2024. It includes detailed post-mortem reports, remediation plans, and communications.

Security Incident Communications

Security Incident Post-Mortem Report

Date of Incident: July 14, 2024

Summary: Minterest’s Mantle Network deployment experienced a security breach, while Ethereum and Taiko networks remained unaffected.

Impact:

• $1.4M in $mETH and $WETH tokens were stolen.

• Manipulated exchange rates led to liquidation events and reduced USDY withdrawals.

• Root Cause: A reentrancy attack on the mUSDY market using a flash loan and lendRUSDY.

Actions Taken:

• Suspended all operations on all chains.

• Flagged the suspect wallet with key exchanges and on Etherscan.

• Collaborated with SEAL 911, Blocksec, and other forensics firms.

• Attempted communication with the attacker.

Recovery Efforts:

• Anticipated full recovery for USDY holders and liquidated users.

• Continued efforts to recover WETH/mETH funds

Remediation plan: Next steps for recovery

Incident Summary: On July 14, 2024, Minterest experienced a major security breach due to a reentrancy exploit in the mUSDY market. This breach led to the theft of $1.4M in mETH and WETH, manipulation of exchange rates, and liquidation of user positions. Immediate actions included suspending operations and working with forensics experts, exchanges, and legal authorities.

Stolen Funds Status: Extensive efforts were made with forensics experts and legal channels to recover the stolen funds. Despite the hacker’s lack of cooperation, recovery efforts were ongoing and expected to be prolonged.

Remediation Process:

1. 15% Haircut for WETH & mETH: A 15% reduction was applied to WETH and mETH supplies to account for the stolen funds. Recovered funds were to be returned proportionally to affected users.

2. $MINTY Compensation: Affected users received $MINTY tokens at a 25% discount to the listing price, with 20% unlocked at TGE and the remaining 80% vested over 6 months.

3. Yield Farming Boost: Suppliers with pre-exploit holdings over $50 received a 40% boost in MNT and MINTY emissions for three months post-reopening.

4. Recovered Funds: Any recovered assets were distributed in addition to $MINTY compensation.

Additional Measures:

• Operational Adjustments: Detailed steps for adjusting supply positions were shared.

• Focused Haircut: Only WETH and mETH were affected to maintain fairness.

• Legal Efforts: Continued cooperation with forensics and legal authorities.

• Mitigating Liquidation Risks: Ensured net health factor positions above 1.05.

• Enhanced Security: Implemented audits, advanced monitoring, and bug bounty programs.

Future Steps:

• Regular Updates: Continued communication about recovery and security improvements.

• Rebuilding Trust: Focused on transparency and community engagement.

Minterest Security Update: Successful Security Audit for USDY Token Market by PeckShield

• Audit Scope: Covered the MUSDY token market and related contracts, including MToken, MEther, and Supervisor.

• Coverage: Included holistic review of MToken and MEther contracts, ensuring comprehensive security for Minterest’s token markets.

Key Findings and Resolutions

• Precision Issue: Fixed to prevent potential exploits.

• Non-Reentrancy Enforcement: Strengthened for consistent protection.

• Ether Transfer: Enhanced with additional security measures.

All major issues identified have been resolved.

Chronological list of all announcements made via Telegram and Discord.

• 14 July 2024: Initial breach notification.

• 14 July 2024: MINTEREST - ADDRESSING STATUS/QUESTIONS ON RECENT BREACH

• 15 July 2024: Minterest Security Incident Post-Mortem Report

• 16 July 2024: Minterest Exploit Recovery and Current Status

• 17 July 2024: Latest Update on Minterest Exploit: Asset Remediation, Security Measures, and Community Support

• 18 July 2024: USDY Market Restored and Asset Remediation Progress

• 19 July 2024: Liquidation Reimbursements and Security Enhancements

• 20 July 2024: Emissions Active, Interest Rates Adjusted, and Ongoing Recovery Efforts

• 22 July 2024: Clearer Timelines and Next Steps

• 23 July 2024: Official remediation plan release.

• 24 July 2024: Update on Liquidation Fee Reimbursement and Remediation Plan

• 25 July 2024: Security Audit, Remediation Progress, and Upcoming Code Review

• 27 July 2024: Progress on Reopening, Upcoming Content, and Remediation Plan Details

• 31 July 2024: CEO Update: Important Developments and Direction Ahead of Minterest Reopening • 02 August 2024: Awaiting Final Security Audit and Implementing Improvements • 02 August 2024: Minterest Code Development Process: Overview and Transparency • 03 August 2024: Security Audit Status, 40% Boost for Affected Suppliers, and Code Review Process • 03 August 2024: Double Emission Rewards and Awaiting USDY Audit Report • 05 August 2024: Rebalancing Process Underway • 05 August 2024: USDY Security Audit Completed • 06 August 2024: How the Protocol Repays Your Loan on Your Behalf During Rebalancing • 06 August 2024: Minterest Protocol Reopening Update

• 06 August 2024: Minterest is Live Again

Last updated