# Minterest Security Incident Documentation

## Links to Key Blogs

1. [Security incident post-mortem report](https://minterest.com/blog/minterest-security-incident-post-mortem-report/)
2. [Remediation plan: Next steps for recovery](https://minterest.com/blog/minterest-remediation-plan-next-steps-for-recovery/)
3. [CEO’s Letter to the Community](https://minterest.com/blog/ceos-letter-to-the-community/)
4. [Minterest: Code Development Policy](https://minterest.com/blog/minterest-code-development-policy/)
5. [Minterest Security Update: Successful Security Audit for USDY Token Market by PeckShield](https://minterest.com/blog/minterest-security-update-successful-security-audit-for-usdy-token-market-by-peckshield/)
6. [Minterest Protocol Reopens: What You Need to Know](https://minterest.com/blog/minterest-protocol-reopens-what-you-need-to-know/)<br>

## Security Incident Communications

### Security Incident Post-Mortem Report&#x20;

\
**Date of Incident**: July 14, 2024

Summary: Minterest’s Mantle Network deployment experienced a security breach, while Ethereum and Taiko networks remained unaffected.

**Impact:**

• $1.4M in $mETH and $WETH tokens were stolen.

• Manipulated exchange rates led to liquidation events and reduced USDY withdrawals.

• Root Cause: A reentrancy attack on the mUSDY market using a flash loan and lendRUSDY.

**Actions Taken:**

• Suspended all operations on all chains.

• Flagged the suspect wallet with key exchanges and on Etherscan.

• Collaborated with SEAL 911, Blocksec, and other forensics firms.

• Attempted communication with the attacker.

**Recovery Efforts:**

• Anticipated full recovery for USDY holders and liquidated users.

• Continued efforts to recover WETH/mETH funds

### Remediation plan: Next steps for recovery

**Incident Summary**: On July 14, 2024, Minterest experienced a major security breach due to a reentrancy exploit in the mUSDY market. This breach led to the theft of $1.4M in mETH and WETH, manipulation of exchange rates, and liquidation of user positions. Immediate actions included suspending operations and working with forensics experts, exchanges, and legal authorities.

Stolen Funds Status: Extensive efforts were made with forensics experts and legal channels to recover the stolen funds. Despite the hacker’s lack of cooperation, recovery efforts were ongoing and expected to be prolonged.

**Remediation Process:**

1\. 15% Haircut for WETH & mETH: A 15% reduction was applied to WETH and mETH supplies to account for the stolen funds. Recovered funds were to be returned proportionally to affected users.

2\. $MINTY Compensation: Affected users received $MINTY tokens at a 25% discount to the listing price, with 20% unlocked at TGE and the remaining 80% vested over 6 months.

3\. Yield Farming Boost: Suppliers with pre-exploit holdings over $50 received a 40% boost in MNT and MINTY emissions for three months post-reopening.

4\. Recovered Funds: Any recovered assets were distributed in addition to $MINTY compensation.

**Additional Measures:**

• Operational Adjustments: Detailed steps for adjusting supply positions were shared.

• Focused Haircut: Only WETH and mETH were affected to maintain fairness.

• Legal Efforts: Continued cooperation with forensics and legal authorities.

• Mitigating Liquidation Risks: Ensured net health factor positions above 1.05.

• Enhanced Security: Implemented audits, advanced monitoring, and bug bounty programs.

**Future Steps:**

• Regular Updates: Continued communication about recovery and security improvements.

• Rebuilding Trust: Focused on transparency and community engagement.<br>

### Minterest Security Update: Successful Security Audit for USDY Token Market by PeckShield

• Audit Scope: Covered the MUSDY token market and related contracts, including MToken, MEther, and Supervisor.

• Coverage: Included holistic review of MToken and MEther contracts, ensuring comprehensive security for Minterest’s token markets.

Key Findings and Resolutions

• Precision Issue: Fixed to prevent potential exploits.

• Non-Reentrancy Enforcement: Strengthened for consistent protection.

• Ether Transfer: Enhanced with additional security measures.

All major issues identified have been resolved.<br>

### Chronological list of all announcements made via Telegram and Discord.

• 14 July 2024: Initial breach notification.

• 14 July 2024: MINTEREST - ADDRESSING STATUS/QUESTIONS ON RECENT BREACH

• 15 July 2024: Minterest Security Incident Post-Mortem Report

• 16 July 2024: Minterest Exploit Recovery and Current Status

• 17 July 2024: Latest Update on Minterest Exploit: Asset Remediation, Security Measures, and Community Support

• 18 July 2024: USDY Market Restored and Asset Remediation Progress

• 19 July 2024: Liquidation Reimbursements and Security Enhancements

• 20 July 2024: Emissions Active, Interest Rates Adjusted, and Ongoing Recovery Efforts

• 22 July 2024: Clearer Timelines and Next Steps

• 23 July 2024: Official remediation plan release.

• 24 July 2024: Update on Liquidation Fee Reimbursement and Remediation Plan

• 25 July 2024: Security Audit, Remediation Progress, and Upcoming Code Review

• 27 July 2024: Progress on Reopening, Upcoming Content, and Remediation Plan Details

• 31 July 2024: CEO Update: Important Developments and Direction Ahead of Minterest Reopening\
\
• 02 August 2024: Awaiting Final Security Audit and Implementing Improvements\
\
• 02 August 2024: Minterest Code Development Process: Overview and Transparency\
\
• 03 August 2024: Security Audit Status, 40% Boost for Affected Suppliers, and Code Review Process\
\
• 03 August 2024: Double Emission Rewards and Awaiting USDY Audit Report\
\
• 05 August 2024: Rebalancing Process Underway\
\
• 05 August 2024: USDY Security Audit Completed\
\
• 06 August 2024: How the Protocol Repays Your Loan on Your Behalf During Rebalancing\
\
• 06 August 2024: Minterest Protocol Reopening Update

• 06 August 2024: Minterest is Live Again\ <br>