The VeChain Foundation has reportedly been subject to a hack totaling about 2% of the entire coin’s current supply.
An initial announcement on the Foundation buy-back address. https://t.co/hohKF4J0fE
— VeChain Foundation (@vechainofficial) December 13, 2019
Earlier today, the VeChain Foundation reported that the foundation’s VET buyback address had been compromised. This resulted in the loss of approximately 1.1 billion tokens according to the official announcement:
“December 13, 8:27pm (UTC+8), the VeChain Foundation buyback address was compromised. Approximately 1.1 billion VET tokens in this address were transferred into 0xD802A148f38aBa4759879c33E8d04deb00cFB92b, the hacker’s address. All the addresses associated with the said hacker’s address have been tagged on VeChainStats, the list is automatically updated as soon as the hacker sends any funds from the original hacker’s address.”
The VeChain hack constitutes a significant portion of the coin’s present circulating supply, about 2% of the roughly 55 billion total. As a result, the coin’s market capitalization dropped sharply by roughly 3.5% over an hour’s timeframe.
Loss due to human error/misconduct?
According to the announcement by the Foundation, the VeChain hack may have been the result of team member misconduct resulting from human error on the part of the Foundation’s finance team, leaving an attack vector for a hacker to exploit:
“We have launched an investigation into every fact around the address to determine the motive, method, and data flow behind this malicious act. We have narrowed down the possibilities enough to lead to a highly probable theory. Security breach was most likely due to misconduct of one of the team members within our finance team, who have created the buyback account without thoroughly obeying The Standard Procedure approved by the Foundation, and our auditing team did not pick up this misconduct, due to human error.”
The Foundation emphasized that the effectiveness of following standard security procedures had not failed, but rather this was due to these procedures not being adequately followed in this particular case.
Decentralized treasuries like with Dash mitigate hacking risks
The VeChain hack emphasizes the benefits of a decentralized and trustless treasury for a project’s funding model, such as that which is employed by Dash. In the Dash model, 10% of the coin’s supply is created at the end of a monthly period, distributed to contractors who receive a net 10% of the network’s vote. This means that there is no central repository of funds to hack, but rather individual projects receive funds as they are created directly to the addresses supplied.
While employing a decentralized treasury model solves the issue of a centralized honeypot target for hackers such as in the VeChain hack, it does nonetheless create new sets of considerations. For a key example, several Dash treasury proposals were not funded despite receiving enough votes two years ago due to a technical issue with multisignature receiving addresses supplied.