I’ll keep this simple and to the point.
No need to FUD or panic. Funds are safe and no contracts were exploited or compromised.
As some of you are aware, on Friday we had a malicious actor compromise our Live Wallet API we use to sync data. They were able to manipulate the Live Wallet into thinking massive wins had taken place causing the bankroll to go negative and freezing staked funds temporarily.
Thanks to our devs and some help from the community (looking at you LoOTche), the bad actor wallets were rapidly identified, blacklisted, and some funds recovered.
Once funds and contracts were indeed safe, we did a deep dive post mortem to find out what happened.
It appears as though a member from the previous development team made a repository public that contained sensitive API info, which was then used exploit the API. While I do not think the previous team member acted maliciously, they are in Ukraine, and at this point unreachable. It’s likely they aren’t even aware of the trouble they’ve caused.
So, since the issue has been pinpointed, let’s take a second to look at the positives of this.
- As weird as it sounds, it’s good the price of $CRUSH is low atm. This means that the price was only lowered by 1 cent. I know that still sucks, but I’m glad it happened now before we launch everything we have coming meant to build the price back up.
- We were already in the process of updating the Live Wallet functionality as we gear up for partner Live Wallets. We have been in process of moving servers as is, so this is just another solemn reminder that as a casino we will always be a target, and to further bulletproof our ecosystem.
- Thank god our current devs are competent and this is the last time we’ll face any surprises from the original team.
So what’s next?
We’ll be moving everything along as previously planned. Once updated, we’ll be topping off the Bankroll and adding additional buffer. We were already planning a full reset of this as mentioned in my last update so this just reiterates that.
We will also be working to harden every point of our APIs, by adding new validations and security layers. We’re discussing an increase tracking of rolls and gameplay for any reported win or loss to revalidate our gameplay records. Ensure all incoming requests are from only dragon games servers (although there is no guarantee to ensure origin of a request as these things can be spoofed, but its another way to add roadblock). As we migrate everything to new hosts, we can add additional blacklisting methods so in future if we notice malicious actors we can block them from our systems.
To summarize, this has been a very unfortunate event, however it managed to happen at an opportune time and will allow us to further protect ourselves against bad actors in the future as we scale.
If you have any questions please don’t hesitate to ask in chat. Don’t forget to thank LoOTche for being a rockstar and helping us out on Friday!