HGraph Punks Wallet: Reclaimed
WE HAVE REGAINED ACCESS TO OUR WALLET.
WHITE HAT HACKER RETURNED KEYS AND WE RESET THEM.
TL;DR
- How our keys were stolen: The private key was compiled in our react front-end code from server environment variables. The hacker decompiled that code in their browser and got the key. This was an oversight from Drop 1 code Patches rushed too quickly to release.
- No evidence Turtle Moon systems were compromised
- We have no evidence any user information was taken or compromised. Reviewing logs in the database, we don’t see anything unusual.
Where do we go from here?
This is a large setback for us. We were hoping to use the HBAR in the wallet for seed funding of Turtle Moon and push forward and build infrastructure for the Hedera NFT community.
In short, we are still committed to that mission. We will now also focus on building the tools necessary to help our holders exchange their punk. We need to switch users over to a new punk so the thief doesn’t continue to collect royalties from these NFTs.
WE HAVE REGAINED ACCESS TO OUR WALLET.
HACKER RETURNED KEYS AND WE RESET THEM.
Turtle Moon Launchpad (TMLP)
We are still working on our launchpad and our wallet solution.
To help make sure we do this the most efficient and safe way, we have a new CTO: Splash. He is very well versed in cloud architecture and security. He brings a wealth of development experience to our team.
Launchpad Security
All escrow private keys are stored on serverless functions that don’t have the same vulnerability as the drop 1 codebase did. The minting process will be 100% safe for users. Just associate token, send HBAR, and the minted NFT will be sent to the wallet.
We’re creating new wallets to mint into for all projects on the launchpad. After minting is completed, we’ll turn the wallets over to the projects and reset the private keys so only the project owners will have access to their minting wallets.
Turtle Moon Wallet (TMW)
We are still creating an NFT centric wallet. Our timelines are pushed back due to the loss of our funds and the time it’ll take to remedy the situation.
As we build the wallet API and infrastructure, we will do pen tests and plan to get security audits to confirm our systems are secure and up to par with industry standards. TMW wallet will be non-custodial and your private keys will never leave the device, securing our customer’s data and keys in the process.
Q&A
WE HAVE REGAINED ACCESS TO OUR WALLET.
HACKER RETURNED KEYS AND WE RESET THEM.
Final Statement
My carelessness has let down both my team and the Hedera NFT community. In my attempt to be the fastest to market for our punk community, I jeopardized both the future of our project and my team’s livelihood. I deeply regret my actions and you have my heartfelt apology.
Malicious activity is rampant in crypto and my rushing to our drop site was the wrong call. I will do better in the future, and won’t let speed get in the way of what needs time and attention to detail.
Thank you for your support and understanding,
Patches