A Post-Mortem On The Ref Finance Exploit What Happened?
What Happened?
On August 14 at around 11am UTC (block 45195764), our dev team deployed a hotfix to an issue surrounding the Ref Finance contracts. Prior to the fix, users that unstaked all of their tokens from the farm contract were unable to remove the deposited liquidity from the pool. This occurred due to the users’ NEAR account being unregistered from the LP token contract, a feature unique to NEAR tokens that generally aids the user experience.
While the hotfix solved that issue, it contained a new issue that did not debit users’ LP token balances when they removed liquidity. This allowed a small number of users to continuously remove tokens, receiving far more tokens than they should have.
In total, 507,000 NEAR and ~1 million REF tokens were withdrawn using this exploit. Over 400,000 of the NEAR were sent to Binance and Huobi.
Steps Taken
Ref contributors noticed the issue quickly, and immediately took steps to remedy the situation.
The following steps were taken within the first hour of the exploit:
1. The Ref UI was taken down, and the contracts were paused
2. The Ref team notified Binance and Huobi to pause the exploiters accounts, which they did
3. The Ref team determined users’ non-REF balances before the exploit, and proposed a full reimbursement of the funds using existing Ref balances and DAO funds
After these initial steps were taken, reimbursements for affected users were issued. A plan was also created to bring Ref back online and make it more secure.
Reimbursements for all $REF tokens were processed within 3 days, after the DAO voted to reimburse the lost NEAR with funds from the DAO.
In addition, the Ref website and dApp were fixed, stress tested, and brought back online on Saturday, August 22. The new contracts went live on v2.ref-finance.near simultaneously.
A More Secure Future
Security is the number one priority for the Ref team. To prevent issues from ever again arising, we are taking the following steps:
1. Testing, testing, testing: Any contract changes will have robust test suites created for them, including simulation tests. Additionally, we will test changes for a minimum of one week (usually much longer) manually with community partners.
2. Audits: An comprehensive audit was in progress before the exploit, and will soon be complete and published
3. Hiring: Our core team is very strong, but also small. We are hiring across the board, including engineers, designers, product, community, and more!
4. Decentralization: We retained an admin key for a short period of time to allow our dev team to move quickly. This was never intended to be for long, and we will be transferring control of the contracts to the DAO to keep our promise to the community of being a decentralized project
This was a very difficult time for the Ref community, and we thank you all for standing by us through it. We couldn’t be more committed to making Ref a successful ecosystem, and we will continue to build until (and well after) that happens.
REF v2
As 1 million of $REF was improperly withdrawn, the community DAO voted to fork the $REF token and create Ref Finance v2 using the balances from block 45195764. This $REF was distributed on August 25th, and whitelisted on the redeployed Ref exchange.
The new $REF token assumes all uses of the original token, and will be treated as the only $REF token by us and our partners.
Moving Forward
Ref has been back online for just over a week, and liquidity is quickly returning. The $REF — $NEAR pair is at nearly $2M in liquidity, with $SKYWARD — $NEAR close behind (and $OCT rising quickly!).
In addition, the first farms will launch on Ref Finance! These liquidity rewards will be the most generous, and we expect to see the total value locked of Ref grow substantially very quickly. We are excited to onboard new users to the Ref community!
Additionally, we’re working with Paras to issue a set of NFTs to all of you who helped us recover!
We are excited to resume our roadmap, and to continue working towards the premium products the Ref and NEAR communities deserve.
About Ref Finance
Built on top of a leading edge protocol in NEAR, REF Finance acts as the gateway into the entire ecosystem through its AMM, which provides liquidity and swapping features for all decentralized application launching on NEAR. To do this, REF implements the renowned Rainbow Bridge which seamlessly bridges Ethereum based assets over to NEAR, thus bringing access for an array of DeFi users to lower fees and faster transaction speeds.
