Unfortunately, Nanex was targeted by malicious user and thus 311,000 XHV was stolen from our community/Nanex customers. This attack only effects those who had coins in Nanex and has no impact on the wider network.
How did this attack occur?
The attacker used a well known and identified exploit introduced by upstream Monero code, that was already patched by us on July 7th 2018 in our 3.0.1 release. Because Nanex was still using the old version 3.0.0 wallet, this exploit was able to be used which allows a user to trick the exchange wallet into reporting more XHV received than was originally sent. More info here.
Due to the nature of the issue, as this was big news at the time, exchanges took Monero and Monero based coins wallets offline as soon as the news came out. We didn’t reach out to any exchanges directly about this problem as they were aware and updated.
Nanex was not aware of this exploit or our update, which is extremely unfortunate and certainly to the surprise of the Haven Protocol team. We were not aware that Nanex keeps their code up to date based on direct message updates from development teams, or that there was a requirement for us to do so. Especially due to widespread news and knowledge of this bug.
Best case scenario:
Talking with Nanex, the attacker has appeared to use a personal email and residential ISP. I have great confidence that under the extreme legal ramifications the hacker will be facing, we should see a return of the lost funds.
Do not leave any coins on any exchange. An important rule that is continually ignored in the Crypto community. In saying that, the Haven Protocol team does feel sympathy for those who risk or may end up losing coins. This is a major blow to our community.
It’s very disheartening to know that we have fixed an issue, just for it to be exploited anyway. The Haven Protocol team will from now on always reach out directly to exchanges about any update irrespective of our requirement to do so and the amount of knowledge on the issue. We regret the damage caused by this event and will not let something as trivial as a mis-communication cause something like this again.