PAID Network Hack
Disclaimer: CryptoHobo does not, and has never invested in PAID Network, nor any of its partner projects or networks to date. I hold absolutely no personal position in relation to this article outside of genuine interest for the project’s aims and objectives.
Bitcoin’s continual test and re-tests of the seminal $60,000 psychological resistance has prompted a sea of green across the Cryptospheric oceans - culminating with the much-anticipated and eagerly-awaited EIP1559 developments (more of that in a subsequent article). However, the first week of March ended on a particularly sour note for one of my favourite recent ERC20 projects to launch in recent times.
On Thursday 4th March, news broke on social media that PAID Network1 (a smart-contract network for borderless legal toolkit provision) had suffered an exploit or hack that left its long-term advisors bewildered and flabbergasted.2
This hack resulted in the nefarious individual(s) minting approximately 60 million PAID tokens, managing to exchange them for approximately 2000 ETH (valued at an estimated USD$2.5 million at the time of execution).
As is usual with such complex and large events, rumours circulate long before the full light of day has dawned in respect of the actual facts. This is no more true anywhere outside of the Cryptosphere, which by its very nature requires expert analysis and dissection of events in order to accurately trace the fingerprint of the event.
Indeed, it did not take Nick Chong of Parafi Capital long to take to the Twitterverse with understandably guarded, but less understandably accusatory language:
Nick Chong elaborated further by stating:
“a few minutes before the mint happened, a PAID deployer contract (which is externally controlled) transferred ownership to the hacker. Thus, it is likely that a member of executive made a grave security lapse which allowed the hack to happen, or he rug pulled.”3
Knowing/Understanding and believing in the PAID Network project as well as I do and having observed and participated in direct communications with the community and development team on their official Telegram group and Twitter throughout the pre-sales and beyond, these comments did not sit right with me at all.
I feel it is rather unfair, rug-pull or not, to speak about a very transparent, visible and communicative development team in such a negative manner and so readily, prior to full disclosure of the facts. I can only speculate that perhaps Nick Chong was reacting on confirmation bias fuelled by a historic ‘scam warning’ Tweet by Twitter user ‘WARONRUGS’, in addition to another Twitter user known by username ‘Fomosaurus’, who also spoke unfavourably of the team with FUD undertones:
Consequently, as one might expect this resulted in somewhat of a wildfire of unsubstantiated narratives and half-truths to spawn across the Twitterverse quicker than Peter Schiff can spread Bitcoin FUD.
I do not consider myself particularly ‘in the know’ in terms of the crypto industry. Indeed, I am just another retail bottom feeder fighting for scraps. However, due to my legal background PAID was a project that immediately caught my attention and struck a resonant chord. From my research, I gleaned that the team is seemingly honest, transparent, diverse and, prima facie (Latin legalese for 'at first sight') egalitarian in its nature.
PAID CEO Kyle Chasse is seemingly very well known amongst the inner circles and has been very prominent in blockchain and crypto for over a decade. The people whom I listen to and respect had also spoken highly of PAID Network and produced excellent and bullish research that mirrored my own.
Indeed, a cursory glance at Kyle’s LinkedIn demonstrates a wealth of experience as CEO/Founder of Master Ventures4, World Super Lotto (WSL)5 and PAID Network6, in addition to a whole raft of Strategic Advisor and various other roles that very much reads as a ‘who’s who’ of crypto: GoodMoney, EVShare, Settle Network, Elrond Netwok, AnRKeyX, PlasmaPay, Hathor Network and Litentry to name just an illustrious few. Kyle also claims to be 'all-in' on blockchain and crypto since 2013.1
The PAID Network website has always been immaculately updated with full details of the development team, including the auditing of their smart contracts7, and their location being visibly located and easily verified as Koh Phangnan, Thailand due to this being the first official base for Master Ventures’ innovative ‘Blockchain Village’ co-working and co-living project named House of DAO.8
Ultimately, the best way to assess dishonesty and true intentions is by going straight to the source. With that, IvanOnTech invited Kyle Chasse onto his YouTube channel for a candid interview that was published on YouTube on Sunday 7th March 2021.
This interview is extremely illuminating to me, since it really does reinforce my belief that this hack was not an inside job and further, that any such nefarious behaviour is simply uncharacteristic of the nature of the team. First and foremost, Kyle’s willingness (evidently eagerness from his body language/expressions/tone etc.) to present the facts and to apologise to all PAID investors – new and old – speaks volumes for me. No hiding, no pussy-footing around with flowery, vacuous language and no sidestepping issues. Pure and simply, up font acceptance of full responsibility.
Alas, why take my word for it? You can watch the full 20-30 minute interview in full yourself here.9 Alternatively, for convenience and ease of reference, I have based the remainder of this article around the verbatim audio transcription of the interview that I have transcribed and will reproduce the salient segments of herein… because I’m that kind of guy ;-)
Interview with Kyle Chasse PAID CEO Interview with Ivan on Tech entitled ‘PAID NETWORK HACK – V2 Token Launch, Next Steps, Kyle Chasse Interview Sunday 7th March 2021
(Audio transcribed and reproduced by CryptoHobo on Monday 8th March 2021)
From the outset, Kyle seemed appreciative of the opportunity to communicate with the public via such a well-respected outlet and was eager to set out PAID Network’s intentions:
“It has been very rough … my entire team has been working tirelessly around the clock to make sure we can rectify everything that has been going on, learn from our lessons and move forward, onward and upward, so that’s what we’re doing and I’m sure to answer any questions you may have and full transparency...”
In a direct response to allegations of wrongdoing on PAID Network’s part:
“That accusation [inside job] is … basically ridiculous … you know, I have put my life into crypto. Almost 10 years ago I realised that blockchain and crypto was the key for us, a human species, to actually have evolution and evolve into a better species, a more transparent one, a permissionless and borderless one. This is my life. I love what I’m doing. I’m not doing this because I have to work, I’m doing this because I want to make a better world and a better place, uuuhhh.. so for anyone to think this is an inside job is absolutely ludicrous.”
It is of course purely subjective for me to say so, but the sincerity in the language and tone here was fully evident to myself, and would defy anyone who watches the interview themselves to come to an alternative conclusion themselves.
“I’m doing this because I love to do this and I believe that PAID Network is one of the best and most important projects in the world when it comes down to actually disrupting one of the most inefficient systems in the world, that will dramatically make the world a better place, I am really, really passionate about what we are doing and I want to see this survive and I would never, never do anything to sacrifice the integrity of what we are building...”
Again, here Kyle never deviates from the altruistically-fuelled, egalitarian vision to make the legal industry fairer, cheaper, more accessible and more efficient for the common man, and it really felt he was speaking straight from the heart.
Whilst it would be cynical to dismiss the notion that any aspect of the interview wasn’t rehearsed, Kyle and his team will have been extremely busy in the previous 48 hours getting up to speed with what has happened and what procedures, steps and scrutiny's are to immediately follow. Thus, agreeing to the interview at such a short time after the event itself is not indicative to me of someone who is trying to hide something.
This is when it starts to get really interesting!
“At this juncture, perhaps March 5th: I was in bed, about to go to sleep, when one of my team came over and banged on my door like we were under a robbery and uhhh, I had no idea what was going on and all I heard was ‘someone just minted 59 million tokens and is dumping everything on the market’ and my heart just sank, I couldn’t believe this was happening to us. You know, you hear time and time again of other hacks happening and I just could never imagine something like this could happen to us. Immediately, you know, we uhhhh, people came over, we rallied, we created a war room, we started understanding, investigating what was going on. We brought in resources other teams that were much more experts in this field to help us understand what was going on. We brought in teams like CipherBlade and Immunify(sp?) and Certech(sp?), you know, all of these experts in the space who deal with asset recovery, investigation, like, y’know, chain analysis, things like that … and we quickly started to understand what had happened, although we didn’t understand the source of what happened yet.”
CipherBlade10 is touted as a ‘blockchain investigation agency’ that is purported to have recovered millions of dollars worth of cryptocurrencies, having acted as expert witnesses in legal trials and specialising in blockchain forensics. Logic would suggest that if Kyle and the PAID team had anything to hide, they would not be so keen to involve crypto specialised forensic analysts and investigations in in the immediate aftermath. Alas, it is evident that this was undertaken with immediate effect. Indeed, they were investigating even before the weekend had materialised.
“Sometime, and then we started taking steps to ensure, to minimise the impact of what the attack was able to do. So what we found out was that the, so, that the attacker was able to get access to the proxy admin wallet – the ownership of the wallet – that was our token contract. As we stated in our transparency report on January 25th or January 24th, 25th, 26th, around there, when we minted our first contract, ummm, we didn’t have the minting function enabled in our smart contract, but the attacker was able, because we had an upgradable proxy contract, was able to recreate a new contract with the mint function turned on, but we do have a max supply and he wasn’t able to mint any more and there was no tokens in that wallet, so the attacker had to burn tokens from our bucket that was allocated for staking rewards, that was unlocked, that was 10% of our supply – he burned those and was able to then mint new ones because he couldn’t mint any more than the max supply. He minted the new ones to his wallet and then started dumping on the market. When we saw the dump going on, we had also got on call to our market makers, and people who, y’know, understood quickly how to devise a strategy. We removed liquidity from Uniswap in order to minimise the opportunity for the attacker to sell to the market and make more profit, and ultimately that is what happened.”
In addition to the previous information detailing exactly what went wrong, this kind of information is especially useful. By knowing what the PAID team were observing on-chain and how they reacted to it, anyone reasonably well versed in rudimentary on-chain analysis would be able to back propagate this information and tally it to what they see occurring on Uniswap. Again, such transparency is not befitting of anyone intent on an inside job or ill-intentioned behaviour in my opinion.
Overall, the attacker was able to sell about 2.5 million PAID Network tokens for a net profit of approximately USD$3 million worth of ETH.
The question ultimately now remains, as to what Kyle and his PAID Network team intend to do about this? Ivan asked Kyle if there is any way to track what that money (the profited ETH) is doing:
“One of the best companies in the world when it comes down to asset recovery in Blockchain, and analysis, and investigation, that works with authorities, that works with exchanges, that works with other experts in the industry – we have retained them – CipherBlade – they are tracking where the Ethereum is, and hopefully they would be able to recover it – obviously there’s no guarantees since there’s a lot of ways to avoid that, but we have retained them and we are working with them to do the best to recover the stolen funds and hopefully find out the, who the attacker is.”
So, not only did PAID Network immediately recruit CipherBlade and other such agencies to investigate on their behalf, but have retained CipherBlade on an ongoing basis to ensure that the investigation and monitoring can continue.
In respect of other official authorities that are normally involved in such crimes, Kyle had this to say:
“Cypher Blade does work with the authorities, we have a contract with them directly but they do work with three letter agencies and things like that.”
It ought to be noted at this point that Ivan is not just a popular YouTube influencing talking head with a pretty face and a pocket full of coins to shill. With his own Blockchain project launching shortly in addition to a Blockchain professionals training course, Ivan is a skilled programmer and an astute on-chain, off-chain and geopolitical analyst who is always keen to probe and learn and understand situations explicitly. Whilst I believe he is a supporter of PAID (if not an pre-sale investor) and is likely at least familiar with Kyle from industry circles in the past, Ivan does not shirk the responsibility to enquire as to whom Kyle feels is the responsible party(ies) for the exploit/hack, why they were able to get access to the contract, and exactly how this event transpired in terms of culpability/liability/negligence on part of PAID Network. Kyle’s answer to this question is as illuminating and refreshing as the rest of the interview:
“So we were able to understand exactly how this happened as well. Ultimately, at the end of the day, this is my fault, and this is, y’know, our responsibility from PAID Network. This was really two main things went wrong here. One of them was poor key management, or mismanagement of keys … and this comes from a lack of, well, really, so that was one of them.”
Firstly, regardless of what happens, when public/private customers are at a loss, irrespective of the circumstances, one of the most important virtues for me is the company – especially its leaders – having the humility to accept full liability and responsibility. This is a sign of true leadership underpinned with good intentions.
“Another one is the fact that there is a responsible party who we contracted to create our token contracts for us and I assume that, and after they created the contracts for us, he walked me through a process of transferring that contract ownership to myself, so we got on a video call, he said okay now I’m transferring the contract to you, and I thought I was using best private key practices because I was using my private key that was secured on my hardware wallet, and the contract was transferred to myself and as far as my knowledge understood, I was now the owner of the contract. I later understood, from speaking to other industry experts that the original owner of the proxy contract needs to be removed – its not enough to transfer the new owner onto the contract, but that original key needs to be removed, and I understand that it was not. That was one of the vulnerabilities there.”
Hands up. No shirking. Shooting straight from the hip and telling it like it is. My fault, I made a mistake, and I am sorry – music to the ears of any wronged client/customer/investor and yet a swallowing of pride that is all too often seemingly beyond the pale for most companies. How refreshing it is to see such attitudes in a fast-evolving, infantile and volatile industry where a plethora of mistakes can be made and a myriad of things could potentially go wrong to potentially catastrophic effect, at any time.
To me, the most important aspect of this section is that Kyle actually gives a lot of passive credit to the Cryptosphere here. In admitting his mistake, admitting that there was additional knowledge he was not aware of, and probably should have been aware of, speaks volumes. To me, it underlines how much respect he gives the network users and the industry participants in general, in that anyone who is seriously involved knows, logically and rationally, that we are placing a lot of trust in algorithms and ultimately in relatively new and untested technology. Adults know the world isn’t perfect. We know mistakes are made and things go wrong. Acknowledging that he understands his audience’s knowledge of these facts whilst not shirking any culpability is frankly, in my mind, something to admire from a CEO who could easily have slipped away into the shadows somewhere and stayed on the down-low until things have blown over a bit.
“So, after this responsible party I was working with then later got contracted to do another job for another project, from what I understand, he then gave our private repo which included our mnemonic seed to the project to use as a reference when looking at the vesting schedules that we used. That project then uploaded, at some point, that repository to GitHub and made it public, and that’s where our mnemonic phrase was exposed, the attacker found the mnemonic phrase, was able to restore and regain access to our admin proxy contract.”
This crucial piece of information gives a rather unique insight into just how perilous the industry can be, even for the experts. We have PAID, a highly technical, gifted and (in my opinion) competent team with a clear, strong vision and a third party contractor who are experts in the area of drafting smart contracts for precisely this context, managing to accidentally leak the private key mnemonic phrase for the PAID network admin account via another third party who then published it publicly on GitHub (presumably unwittingly), and an eagle-eyed opportunist pounced on it like a lion on a gazelle.
Unlike the multitude of seemingly never-ending list of exploits or hacks that have been direct inside jobs or ‘rug pulls’ as per the ICO 2017-2018 days1112131415, or direct attacks on the network itself in terms of 51% attacks16 or exploiting a loophole in the smart contracts themselves, this is seemingly the result of something a little bit more left-field. One can imagine that despite the best efforts of everyone in the Cryptosphere, it would not be totally unsurprising to see a similar issue arise with some project sometime again in the future. Human error is often severely punished, and vulnerabilities in code or smart contract ‘quirks’ that can be exploited (such as that which occurred on the Compound app at the height of the DeFi mania of 2020)17
So far, we have seen Kyle accept responsibility (both solely and on behalf of PAID) and provide a detailed explanation of precisely what went wrong, and what could/should have been done by all parties involved to avoid the situation occurring in first instance.
However, this in of itself is not much use to the out-of-pocket investor. Thus, the remainder of the interview is crucial in determining just how much credence we ought to give the sincerity of Kyle’s previous responses. Whilst it is my nature to always try to give the benefit of the doubt, its not like there aren’t a whole shark tank full of John McAffee181920 types swimming around in crypto waters just waiting for an opportunity to strike. I feel pretty confident in my assertion that a John McAffee type Kyle Chasse certainly is not.
“I know, there’s nothing I want more in this world than to move past this and, move past this in the right way. We have been doing everything we can – very little sleep since the attack has happened – our entire team is on this plus a lot of other people helping us as well. We are, tonight, in the process of… we have already taken a snapshot exactly right before, the block before the attacker dumped the tokens and we have already started the process of the new contract, the PAID V2 contract, this will of course be secured by multi-sig wallet using NoSys which is industry standard and we plan, by the time most of you are awake tomorrow, PAID V2 token will be out and circulating, and as far as what we plan on doing for those who were, for those who lost uhhhh, who either saw an opportunity and thought they were buying the dip, or people who panic sold after the attacker sold the tokens – we understand that you had some now financial loss – so we plan to compensate anybody who traded on Uniswap from the time the attack happened up until 1 hour after we made the announcement, and that announcement had 1 hour to propagate through all the social channels – my channel, PAID Network, Twitter, over 70,000 emails were sent out too – we feel that was enough time for people to understand that you should not be, that the token was going to be voided, and no more trading should be done. So if you were trading on Uniswap for, its approximately 3 to 3 and a half hours after the attack, ummm, we will roll back the ledger to right before the attack happened and create a new V2 contract for that.”
Never one to leave himself open to accusations of not probing, pursuing or seeking explicit clarity on issues, Ivan sought confirmation as to how compensation will be distributed i.e. whether the reimbursement will be for the ETH value lost, or the PAID tokens directly in volume, or both, or otherwise.
Kyle clarified as follows:
“The people that bought will be getting PAID tokens in the value of the ETH that they spent”
“So, we are going to start the trading lower than the value of PAID at the time of the attack which was around 2.80, we are still working out with market makers and strategists the best way to structure that, but we plan on, the exact details are… we don’t know exactly yet, but it will be the equivalent value of the ETH that was spent, dropped in PAID tokens […]”
It is interesting to note here that the arrangement structured seem focused on ensuring that no investor is at a loss, even if that structure combines with circumstances to over-compensate any victims of the hack. By starting the trading price off at a lower price than the price at the time of the hack and reimbursing the equivalent ETH value of the loss, victims could prospectively be issued more PAID tokens than they lost. This underlines the notion that PAID Network are very much focused on the best interests of their investors, even if it puts the project at a financial disadvantage in comparison to its juggernaut-esque start to life as a blossoming crypto project.
Personally, I find it both exciting and somewhat reassuring when such in-depth detail is provided and responsibility is taken for liability, and that is subsequently followed with unwavering commitment to the vision.
Kyle polishes off his interview with Ivan by outlining just how committed PAID are to the original road map and ideology of the project:
“Well, you know, if you’ve been following what we’ve been doing, we’ve been on fire up until… this is a small blip in the road map of what PAID Network has been doing, y’know, we still have a tremendous amount of, we still have extremely strong fundamentals, y’know, we’re not going anywhere. I’m here talking to you today and we’re moving forward, onward and upward. We have a road map stacked with deliverables and partnerships and ideals on the road map. We have big announcements for, y’know, exchanges and things like that lined up. Nothing has changed as far as our fundamentals and we are still moving forward in that direction. One thing that I can tell you is that our security practices will be strongly, uhhh, strongly more secure. We will be working, y’know, with industry experts to make sure we have the best practises within PAID Network.”
In retort, Ivan finally eases up on Kyle somewhat by offering a proverbial reflective olive-branch entrenched in a simplistic truth that can only be gleaned from sufficient experience and time in the market:
“Somebody has to make all the mistakes. We’ve had the DAO hack years ago with the re-entrance attack, then we had some other people losing access in other ways and you got this GitHub upload situation – someone has to make all of these mistakes for this industry to move ahead and hopefully, hopefully, this project will only move ahead and grow and leave this behind.”
The interview closes out with some final remarks from both Kyle and Ivan. Firstly, Kyle offers:
“I just want to thank those of you in our community who have been supportive. It has meant the world to us. There has been a lot of negativity and FUD and ummm, but, the true supporters in the community who really believe us, thank-you to each and every one of you who have shown us such kind love and support, it really, really, really helps under these trying times and it really has been emotional and heart-warming to see all the support, and thank you Ivan for having me on and allowing me to talk to your audience, I really appreciate it.”
Ivan closes with the kind of astute observational insight that only someone of his stature is privy to. Ivan is very well respected throughout the crypto community and when industries are so infantile, it is often very much the case of a bit of ‘everyone knows everyone’. Of course, this could be seen to be dangerous, as anyone would be wary of a friends’ willingness to call each-other out and hold each-other to account.
However, whilst Ivan was welcoming and not intimidating throughout the interview, he remained in very much a pragmatically neutral stance in terms of his line of questioning and responses throughout the interview. It is only now at the very end that he begins to offer something of his own opinion. This is extremely important in my mind, since it avoids the muddying of facts with opinions.
“There has been some FUD but the support that came from important people in this industry, who actually work in this industry, who actually do something in this industry, has been overwhelming, I can tell you that as a kind of third-party observer When it comes to the actual people who work, who do something in this industry, because most of them actually know you, and know your team, and know that you have a long history here, so that is a big decision to make, so as a bystander I can say the support has been overwhelming and that has been amazing to see that the PAID community is strong.”
For anyone who is on the fence regarding PAID Network going forward, these ought to be encouraging words. I cannot recall many, if any instances in the past where a disastrous event in the industry has been met with such kind and supportive words for those who fully acknowledge their liability and responsibility for the event transpiring.
For me, this speaks volumes about both Kyle and his entire team. Such respect and trust is not earned quickly, nor easily, especially in such cut-throat and competitive industries as those in the technological sectors.
At the time of publishing, PAID Network V2 token is trading on Uniswap between $1.60-1.7021 which is just short of half of the all-time high price of almost $5.00 achieved immediately prior to the hack. Hopefully, from a personal perspective, this project is able to bounce back immediately with the support of the community and continue from strength to strength.
Whilst I have never held the PAID token to date, this is by no means not regrettable on my part and something I fully intend to rectify in the future. If anything, the reaction of the team to this unfortunate circumstance in terms of the cumulative handling of the situation fills me with even more confidence that this team and project has what it takes to achieve everything it sets out to do so and more. Should it achieve even half of that expectation, it will prove to be a hugely valuable asset to the Cryptosphere and one of the most pivotal disruptions in traditional industry in recent memory, perhaps for generations.
1 PAID Network White Paper (2021), published by PAID Network, available at: https://docsend.com/view/jdbdpza9d9nehnf2
9Interview conducted by IvanOnTech with PAID Netwok CEO Kyle Chasse, entitled ‘Interview with Kyle Chasse PAID CEO Interview with Ivan on Tech entitled ‘PAID NETWORK HACK – V2 Token Launch, Next Steps’, published on IvanOnTech’s YouTube Channel on Sunday March 7th 2021, available at: https://www.youtube.com/watch?v=v28yihfpP_E