Staking Bug Prevention: Review of Events (No Funds Stolen)

If you haven’t unstaked yet, immediately follow the instructions here or you risk losing your funds: https://dexfolio.medium.com/staking-bug-found-follow-these-instructions-immediately-dont-worry-no-funds-lost-b5ece2df2536

tl;dr: Our approach to protect user funds was chosen by our team with guidance from the experts at immunefi. This was hands down the best way to handle this specific bug to ensure the safety of everyone’s funds. All funds protected so far (unstake if you haven’t yet!)

We were notified of a bug in the staking contract through the Immunefi’s Bug Bounty. We had to get unstaking instructions to our investors immediately to protect their funds.

It’s important to keep in mind that every contract is susceptible to vulnerabilities, and that’s why audits and bug bounties exist. In this case, we did both. And there’s a reason bug bounties are gaining popularity: The bug bounty uncovered a bug that the auditors and our developers missed.

Why We Made a Fake Announcement

Since this bug could be exploited at any time, we could not reveal the existence of the bug or else we would compromise the users funds a lot more. (A contract with a that’s revealed to be exploitable is much riskier).

Further, since the staking contract is controlled by governance, we could not fix the issue by deploying new code.

We were left in a difficult situation: We needed to have as many people unstake at the same time when the bug is revealed, but that meant we needed everyone online at the same time when we reveal the bug announcement. How could we get everyone online together?

With Immunefi’s guidance, we decided to create a mystery announcement telling everyone to be online on Aug 20 at 13:00 UTC. This would ensure as many community members as possible were online together, allowing everyone to unstake at the same time.

Additionally, we tracked down the highest value stakers, since we wanted to make sure they would be online during the announcement. We only had the addresses of the largest stakers, but had no way to contact them, so we made an announcement that we want to reward the largest stakers, and thankfully this announcement allowed us to get in touch with our highest stakers.

This direction was chosen by our team with guidance from the experts at Immunefi. This was hands down the best way to handle this specific bug in the contract to ensure the safety of everyone’s funds.

We are sorry for creating fake excitement and causing people to change their schedule. We only did this to protect everyone’s money.

This is a promise: We will do anything in our power to protect your funds. We take this responsibility seriously.

What Happens to The Staking Rewards that You Earned?

After staking is fixed, everyone that unstaked will have the choice to restake to get back their earned rewards.

When you restake, we will aim to give you back all the rewards you are owed (we have a complete snapshot of everyone’s rewards right before the unstaking announcement)

A multi-DEX tracker with an intelligent alert system. $DEXF, our native token runs on Binance Smart Chain and is used for governance and pro features.