Update on the exploit and the next steps

We recently dealt with a security breach. This article explains the incident, our response, our plans to prevent it from happening again, and what’s next.

What Happened?

On May 6, we detected an exploit in our staking contract after observing a significant sell-off and receiving reports that users were unable to interact with the staking module. A hacker was able to update the contract and illicitly withdrew 58,489,594 $PRY tokens. These were then transferred and exchanged for 41.895 ETH.

As a precautionary measure, we have temporarily paused the staking contract. The vulnerability was related to a section of the code that was added post-audit to introduce liquid staking.

How Was This Possible?

This breach was made possible by an error in initializing the proxy contract for the staking liquid module, which was a fork of the staking vested model previously audited and used by Camelot. We overconfidently chose not to audit this fork, incorrectly considering it risk-free, a decision that led to this exploit.

Immediate Actions and Future Precautions

In response to the hack, we acted swiftly to mitigate the impact on our users. We’ve bought back the $PRY tokens dumped by the hackers and have completed redistributing them to all affected stakers, restoring their original staked amounts. This action cost the treasury approximately 170K USDC.

We have put liquid staking on hold and have already launched an audit of the staking contracts with Peckshield, expected to conclude by May 18, 2024. If the audit is cleared, we plan to reopen liquid staking the following week.

Reflections and Strategic Adjustments

We deeply regret this incident and accept full responsibility. We acted quickly to protect our community, and all subsequent actions were taken with your best interests in mind. We hope that our immediate buyback and refund actions demonstrate our dedication and loyalty to you.

In retrospect, we recognize that our drive to rapidly introduce new features compromised our platform's stability and user experience. Moving forward, we are refocusing our efforts on enhancing the core features and the overall trading experience, delaying non-essential features like NFT vault integration, NFT Perp or Sports Betting, to prioritize the security, efficiency and overall user experience of the dApp.

Luckily, this hack happened when our token's value was low, which means we could handle the loss without endangering Perpy’s future. We have been meticulous in managing our cash flow and have sufficient reserves to sustain our project for many years to come.

Despite our significant efforts in Marketing and Business Development, we are facing challenges due to the reluctance surrounding the price performance of the $PRY token. KOLs are hesitant to engage in public trading or discuss the token's performance. That’s one of the reasons why our marketing efforts have had a limited impact. Our reputation has suffered since the underperforming ICO on Camelot, making marketing more difficult. Unfortunately, users tend to focus on the token's price and associated reputation rather than seeing all the accomplishments over the past year. We share your dissatisfaction with the activity on Perpy and the token's price performance. The most frustrating aspect is that we're giving absolutely everything and working as never before to develop the dApp.

Looking Ahead

We will continue to learn from our past mistakes, ensuring a dynamic and responsive future. 

We are currently improving the reactivity and loading latencies of our dApp, focusing on resolving various bugs. Once these are resolved, our next steps will involve introducing the social dimensions of Perpy and developing an SDK to automate trades with signals. This SDK will facilitate trade automation, helping our users execute strategies more efficiently and will open more collaboration with other projects.

These updates are designed to make our platform easier to use and more engaging, ensuring it stands out as a top Web3 Investment Social Network.

In addition, in order to start a new dynamic, we are considering rebranding Perpy and changing the token's ticker. This rebranding will allow us to start anew with a clean slate and a name that better aligns with the dApp's identity, emphasizing collaborative investment and community engagement similar to platforms like eToro. We are exploring names related to collaborative community investment and clubs. Along with the new ticker, we will also adjust the token's supply, following the example of AAVE's transition from LEND. This strategic move will provide us with a fresh chart and a clean history, making our marketing efforts more effective.

We welcome your feedback! We are actively seeking input during this period and will carefully listen to your suggestions and opinions.

Again, we sincerely apologize for this unfortunate event and the inconvenience it may have caused. Your ongoing support during these times is invaluable to us. We are deeply thankful for your patience and loyalty, which inspire us to enhance Perpy every day. Together, we're committed to building a stronger, more connected future in the world of Web3!