Haven Protocol: Technical Overview of June 2021 Exploits

Introduction

Starting from June 22, 2021, hackers attacked Haven Protocol, exploiting several related vulnerabilities. This report explains the impact of these exploits, how they were resolved, next steps for the project, and our key learnings.

  1. xJPY to xBTC conversion/transfer
  2. Hidden burn/mint amount bug
  3. Zero value price record due to oracle being disabled

Issue Summary

The recent investigations have been extensive, with both internal and external input, leading to the identification of several bugs and issues.

Exploit Analysis and Rollback

The only way to remove the effect of the exploits from the blockchain is to conduct a rollback. This section discusses the pros and cons of a rollback, and the optimum cut-off point.

  • Time: 2021–06–27 22:21:08
  • xJPY to xBTC conversion: Total exploit of 112.2 xBTC
  • Grand total of 125.66 xBTC and 202,920 xUSD
  • Cons: Transactions after 886575 will be reversed
  • Cons: Hackers will be left holding a large volume of XHV (Possibly 11m XHV), and supply figures will be unknown

Technical Documentation of Exploits

1. Miner reward validation

  • Value of exploit: 2 equal transactions totaling 13.46 xBTC and 202,920 xUSD
  • Value of exploit: 2 transactions totaling 112.2 xBTC
  • Value of exploit: It is not possible to determine the value of these exploits.

Current Development Plan

Scheduled fork

  • Increase xAsset conversion fee to 0.5%
  • Implement 80% burn on xAsset conversion fee
  • Split balance of xAsset conversion fee evenly between miner and governance wallets
  • Remove failed conversions from tx from the pool at point of failure — rather than 24 hours later (caused by tx pricing record height being older than ten blocks)
  • Fix integer overflow bug on supply page — causing circulation discrepancies
  • Fix exploits — done
  • Complete proof of coin — 70% done
  • Testing (inc. 3rd party) — ongoing
  • Fork/potential rollback/open exchanges — final step

Lessons Learned from the Hack

In addition to the code updates discussed above, it is critical we learn from these experiences and fix the problems that have led to these issues. The key learnings are:

  • Implement a master, develop, feature, and hotfix branch to make the process more open.
  • We will maintain a standard of imposing unit tests that cover all edge cases before merging a feature branch into the development branch.
  • Pull Requests will be transparent and reviewable by all. 2 members of the team must sign off on all PR’s (2 of either Neil, Akil, or Justin).
  • Rewrite Monero’s unit tests for Haven. Run these in a CI/CD process for every PR.
  • Spend as much time as necessary reviewing every instance in the code where invalid inflation can feasibly be introduced.
  • Add unit tests for each bullet below. Community members can aid us in adding tests, and we can develop an increasingly large list that is provably tested against, permanently included to run in the suite of tests that run every PR merge in the CI/CD pipeline:
  • Transaction creation.
  • Use modified conversion rates.
  • Convert XHV <> xAsset, xAsset <> different xAsset.
  • Incompatible transfer types
  • XHV <> xUSD, XHV <> xAsset, xUSD <> xAsset, xAsset <> different xAsset.
  • Multiple assets: XHV <> xUSD + xAsset, XHV <> xAsset + different xAsset, xUSD <> xAsset + different xAsset.
  • Utilize older fee versions from before xAssets and xUSD were introduced.
  • Utilize Monero’s older tx versions to generate new output types.
  • Hard fork should probably simply prevent tx.version < 3.
  • Miner transaction.
  • Include minted coins of various assets, using various constructions with a keen eye on conditional logic.
  • Pricing record.
  • Arbitrary prices.
  • Use an earlier time stamped pricing record.
  • 0 values for any price.
  • 0 value for the signature and arbitrary prices
  • Scan the chain for any transactions or pricing records included which may have utilized any of the mechanisms above to create hidden inflation.
  • A generous bug bounty program.
  • Weekly or bi-weekly technical calls for anyone in the community to join and discuss technical ideas implemented and being considered for implementation in the future.
  • Haven improvement proposals (HIPs).
  • Repository to keep track of improvement proposals to Haven, and offer a forum for streamlined, transparent, asynchronous discussion.
  • PR’s will be managed by 2 people from the team.
  • Implement a robust decentralized voting mechanism.
  • Design and implement proof-of-coin to allow us to be confident the transparent amount minted and amount burnt on transactions is accurate going forward.
  • This will be reviewed, vetted, and validated by experts in cryptography, both the mathematical logic behind it, as well as the implementation.

Pool Operators

Mining rewards are currently 5,000 XHV per day. Pool operators stand to lose out if the rollback occurs.

Voting on Decisions

We’ve long known that as the decisions become more important, the voting process needs to improve. Over the long term, we aspire for a robust and fully decentralized mechanism to empower the Haven Protocol community and contributors.

Conclusion

We recognize that many of the mitigation actions detailed here are reflective of centralized protocols. As outlined in The Path Ahead this past April, our goal has and continues to be to move Haven towards an entirely decentralized future. We continue to believe we are 18–24 months from that state. In the meantime, we elected to make painful decisions at present that we felt protected new and old investors alike, that did not compromise Haven Protocol’s ultimate mission, and that would provide the community the highest degree of confidence in the privacy and security of their holdings.

Ecosystem of private stable assets. Based on Monero. The world's first private stablecoin xUSD is now live.