How did the exploit happen on Leonicorn ecosystem?
The hacking incident
Our Team successfully rolled out the process of merging our ecosystem tokens into one token on January 4th 2023. The launch of our GameFi and reward-sharing system on January 5th 2023, followed this. Launching our GameFi and reward-sharing system required that we fund our DEN with $LEON, $BUSD, $BNB and $ZBG. Unfortunately, on the same day of the launch of our reward-sharing model, a malicious actor managed to gain access and clean out all the tokens in our DEN(Reward Pool). This included 360M $LEON, Around 22k $BUSD, 450 $BNB, and 10k worth of $ZBC. The malicious actor immediately sold all the $LEON tokens stolen on our DEX and thus drained our liquidity pool. The sell-off of the stolen $LEON tokens resulted in about a 95% price drop.
Below are the details of how the hacker succeeded:
Our DEX and Devdex environment had the following React property enabled by default (this is enabled by default for all React apps, even apps like PCS):
We suspect that the hacker could use a debugger to access the source code of our frontend via both devdex and our dex to search for our private keys used to access our backend.
This exposed our backend API’s authentication key, allowing the hacker to call our backend to get access to our Den wallet’s private key used to interact with the payment wallet autonomously.
The code has since then been obfuscated.
Entire Leonicorn Swap Caves , Single Locked Staking , Merge and Farming pool is safe. Only Den Wallet Effected on this Exploit.
Reconstruction Leonicorn Swap
We are planning to raise emergency funding of $500,000 to enable us to resume operations. At the moment we are exploring all opportunities available to secure this funding.
What the Emergency fund will help us accomplish
Specifically, the funding will help us accomplish the following:
1. Set a liquidity pool which will ensure equivalent market value for ecosystem tokens prior to the exploit.
2. Resume operations and continue with our plans for growth
3. Have reserve funding for uninterrupted operations
4. Improve security of our ecosystem
5. Restore and deepen faith & confidence in vision of Leonicorn ecosystem.
We have an elaborate plan for recovery that will ensure we can resume operations in full force after implementing additional protocols and security layers to eliminate the recurrence of the exploit. Our recovery plan includes:
- Moving all remaining funds to new Treasury Wallet
- Fixing all security vulnerabilities
- Redeploying all DEX contracts
- Obtaining a list of holders at January 6th 12:38 AM +UTC (That is, before the exploit)
- Creating a new ecosystem token, $LEONS
- Reduce supply to 400M From 4B and airdrop users based on 10:1 Ratio.
- Airdropping new token to holders before Hack.
- Opening liquidity pool for new token by ensuring starting price is equivalent to $.047, which is 10x Higher Price.
Extra security measures
We intend to use bounty platforms and audit reviews to test our ecosystem before deployment. Additionally, we will implement internal protocols that will limit the recurrence and/or impact of future events.
Some of our Success stories the day we launched Gamefi
Social Media links
Telegram — https://t.me/leonicornswap
Medium — https://swapleonicorn.medium.com/
Twitter — https://twitter.com/swapleonicorn
Facebook — https://web.facebook.com/leonicornswap
Github — https://github.com/Leonicornswap
Discord — https://discord.com/invite/bG9RqyGKwE