Minotaur Money: Hack, Loss, and Recovery Plan

Dear Minotaurs,

Unfortunately, yesterday, our admin wallet was victimized by a hack that saw the hacker gain access to its private keys. We have been working around the clock to triage the situation, and it is rapidly developing, but we owe you a substantive update. In this post, we will describe what happened, what is being done about it, and our tentative recovery plan from the incident. Although the situation is unfortunate, all core team members are still involved and actively dedicated to making Minotaur Money a success.

What Happened

The private keys to both the Minotaur Money admin wallet and the personal wallet of admin OGBitcoiner (Uranus) somehow fell into the hands of an attacker. We do not know the identity of the perpetrator or the specific attack vector, but based on their actions, they seem to have a high level of expertise and experience at crypto theft and social engineering.

At about 2pm GMT on 5–18, the following two wallets began making unauthorized transactions while under full control of the hacker:

https://cronoscan.com/txs?a=0x4E5D385E44DCD0b7adf5fBe03A6BB867A8A90E7B

https://cronoscan.com/txs?a=0x00B1200b448a3ADAA10257FC415FCa29d422e637

The first wallet (ending in 7B) is the Minotaur Money admin wallet. The hacker then transferred funds to the following address:

https://cronoscan.com/address/0x4f8fc1a26c60714df6094398afc46a7ff125dc17

The transaction history of that address ends in an AnySwap bridge outbound transaction. The hacker’s other routing address seems to be:

https://etherscan.io/address/0xc4fe297c0f3cc7ee0bb8b69e6ce7cf05ad332291

The hacker seems to have taken the following actions with respect to Minotaur Money’s assets:

  1. Withdrew and swapped the MINO tokens held by the DAO account, which negatively impacted the MINO token price;
  2. Withdrew, removed, liquidity, and swapped the DAO’s farming positions in Mad Meerkat Optimizer and Savanna Finance;
  3. Sent $150,334 USDT via an AnySwap Bridge outbound transaction
  4. Received the USDT on ETH blockchain and began distributing it to different addresses via ChangeNOW

Unfortunately, that is where our ability to track the funds currently ends. We cannot determine the outputs of the ChangeNOW transactions because the ChangeNOW exchange allows users to swap directly to Monero with no KYC, and Monero transactions are completely untraceable.

I personally apologize to all those affected, as I was the individual responsible for keeping those private keys secure, and I failed to prevent the keys from falling into the wrong hands. Although the specific attack vector is currently unknown, I will take the necessary steps to improve the security of all my future accounts.

The Current Situation

When we realized what had happened, the team immediately triaged all of Minotaur’s remaining assets. The following assets are still under control of the DAO:

  • Admin privileges to the untouched treasury (totaling $196,790) were transferred to the Deployer account
  • The protocol-owned liquidity tokens are still present in the treasury
  • 133,104 sMINO held in the Deployer account did not need to be moved

Because the Deployer account is not compromised and is under another trusted individual’s control, there is no further imminent danger, and we do not intend to deprecate the MINO token as a result of the incident. Therefore, if investors wish, they may still purchase MINO tokens. The DAO now has no MINO tokens, but the treasury has $196k in blue chip tokens, and the DAO can go on functioning in its current state, although we now have an obligation to increase the health of our finances.

Response/Recovery Plan

We are pursuing the following possible recovery methods:

  • We have reached out to several blockchain security contacts and hope to initiate a full-scale investigation;
  • We have reached out to other organizations that may have information, such as RPC providers;
  • We have attempted to message the hacker via Blockscan Chat and an email address that may be associated, with the intention of attempting to negotiate a white hat fee and the return of substantial funds;
  • We will initiate a police report with law enforcement if an agreement to return funds is not made by the start of business on Friday, 5–20–2022
  • We will investigate legal options regarding changeNOW, the service the hacker used to exit

However, despite our best efforts, we may not end up being able to track these transactions any further after they entered ChangeNOW. Therefore, we should come up with a plan of action in the likely event that we cannot regain possession of the stolen coins.

Luckily, the team has been working on a new project in which Minotaur Money will be given an opportunity to purchase seed equity. Specifically, the project will be an algorithmic stablecoin based on USDC that combines the mechanics of Tomb and Iron Finance. Both Seigniorage and partial collateralization will be employed in the system, so the stablecoin will be mintable and redeemable for USDC + share token in different ratios. The redemption ratio will always be based on the current collateralization ratio, so there will be no redemption shortfall.

We believe that the inclusion of both the Seigniorage and partial collateralization systems will strengthen both aspects of the project. Seigniorage often fails because the bonding system does not really work: it does not generate direct spot purchases on the LP. However, when the stablecoin is priced below peg, the partial collateral redemption cycle should generate those spot purchases. Furthermore, in partially collateralized projects like Iron Finance, one of the reasons why the share token dropped to zero price was its lack of fundamental utility. In our system, the share token will have a Boardroom pool that receives stablecoin emissions. Therefore, it should maintain value better than something like Iron Finance’s Titan, which was used only for minting and yield.

The team intends to offer Minotaur Money the entire equity share of emissions for $100,000. This would give Minotaur approximately 10% of the system’s overall share token and stablecoin emissions. As this will be the first system of its kind, we believe that Minotaur could make a large profit on the emissions. Because Minotaur Money DAO now needs to rebuild its allocation of DAO tokens, some of the profits will be used to buy back MINO tokens. Furthermore, the system will have a genesis pool that accepts wsMINO deposits, and Majestic Minotaurs will be able to be staked in the pools for a 3% yield bonus per NFT (up to 5 NFTs per pool).

However, this offer is subject to the DAO token holders’ approval. Because the MINO token market cap is now below treasury backing, the token holders may prefer to wind down Minotaur Money and distribute the risk-free value (RFV). This means that the DAO would end and the treasury ($196,000) would be distributed proportionally to token holders. Therefore, when release of the algo stable project is imminent, we will hold a Minotaur Money governance vote with the following options:

  1. Invest in seed equity in the algo stable project, or
  2. Wind down Minotaur Money and distribute RFV

We feel that an option to do nothing is not necessary in this situation, as the MINO token market cap is no longer above backing. However, we welcome any feedback from the community, and these plans are subject to modification in response to community opinions. We sincerely appreciate all the support shown so far regarding the possibility of future projects, and we hope this algo stable project will generate significant income and buybacks for Minotaur. Thank you for still being with us, and stay tuned for the full announcement of the algo stable project, which will take place very soon!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store