HGraph Punks Wallet: Reclaimed

WE HAVE REGAINED ACCESS TO OUR WALLET.

WHITE HAT HACKER RETURNED KEYS AND WE RESET THEM.

TL;DR

  • How our keys were stolen: The private key was compiled in our react front-end code from server environment variables. The hacker decompiled that code in their browser and got the key. This was an oversight from Drop 1 code Patches rushed too quickly to release.
  • No evidence Turtle Moon systems were compromised
  • We have no evidence any user information was taken or compromised. Reviewing logs in the database, we don’t see anything unusual.

Where do we go from here?

This is a large setback for us. We were hoping to use the HBAR in the wallet for seed funding of Turtle Moon and push forward and build infrastructure for the Hedera NFT community.

In short, we are still committed to that mission. We will now also focus on building the tools necessary to help our holders exchange their punk. We need to switch users over to a new punk so the thief doesn’t continue to collect royalties from these NFTs.

WE HAVE REGAINED ACCESS TO OUR WALLET.

HACKER RETURNED KEYS AND WE RESET THEM.

Turtle Moon Launchpad (TMLP)

We are still working on our launchpad and our wallet solution.

To help make sure we do this the most efficient and safe way, we have a new CTO: Splash. He is very well versed in cloud architecture and security. He brings a wealth of development experience to our team.

Launchpad Security

All escrow private keys are stored on serverless functions that don’t have the same vulnerability as the drop 1 codebase did. The minting process will be 100% safe for users. Just associate token, send HBAR, and the minted NFT will be sent to the wallet.

We’re creating new wallets to mint into for all projects on the launchpad. After minting is completed, we’ll turn the wallets over to the projects and reset the private keys so only the project owners will have access to their minting wallets.

Turtle Moon Wallet (TMW)

We are still creating an NFT centric wallet. Our timelines are pushed back due to the loss of our funds and the time it’ll take to remedy the situation.

As we build the wallet API and infrastructure, we will do pen tests and plan to get security audits to confirm our systems are secure and up to par with industry standards. TMW wallet will be non-custodial and your private keys will never leave the device, securing our customer’s data and keys in the process.

Q&A

WE HAVE REGAINED ACCESS TO OUR WALLET.

HACKER RETURNED KEYS AND WE RESET THEM.

Final Statement

My carelessness has let down both my team and the Hedera NFT community. In my attempt to be the fastest to market for our punk community, I jeopardized both the future of our project and my team’s livelihood. I deeply regret my actions and you have my heartfelt apology.

Malicious activity is rampant in crypto and my rushing to our drop site was the wrong call. I will do better in the future, and won’t let speed get in the way of what needs time and attention to detail.

Thank you for your support and understanding,
Patches

--

--

--

Turtle Moon is a company creating tools and infrastructure for the Hedera NFT community. HGraph Punks is an NFT project being created by the same team.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

ICS summary 2021

Second quarter of 2021 complete!

An Overview of the PCI S3 Framework

Ethical Hacking, PenTesting and InfoSec— Roadmap

Business Logic Errors - A New Look

{UPDATE} Escape Game - Wonderland Hack Free Resources Generator

XSS via Exif Data - The P2 Elevator

How do LVT’s work?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Turtle Moon

Turtle Moon

Turtle Moon is a company creating tools and infrastructure for the Hedera NFT community. HGraph Punks is an NFT project being created by the same team.

More from Medium

BOSAGORA, signed a partnership with CROWDY

What is Axelar?

Acala (ACA) Gets Listed on KuCoin! World Premiere!

Blockchain Technology in 2022: One Reason to Use Each of Four Platforms