The wLEO contract was exposed to a hack earlier today on Ethereum which led to a massive drain on the pool.
The problem was quickly spotted by many users that understood these were false transactions and they removed liquidity from the pool as soon as they found out. This reduced the hacker's ability to steal ETH from the pool.
Earlier today, wLEO Team managed to shut down the contract and withdraw the remaining liquidity from the pool
— They still save 114 ETH.
Nevertheless, It took the team some time to snapshot the balances before the hack and figure out who had withdrawn liquidity vs. who was still in the pool at the time of the hack.
They ensure the community that:
We will continually work on it and keep you posted on the distribution of this ETH back to LPs.
This is not a wLEO pool problem since has been happening to many other pools on Uniswap. The token issuing contract/address gets exposed and then someone takes advantage of it to mint infinite tokens and rug pull the Uniswap pool to steal the Ethereum.
What currently is known—
The hacker in question stole ETH from the pool by minting WLEO to himself and then swapping it into the market for ETH.
The ETH was then sent to Binance (Binance has been contacted but there may be nothing they can do since the hacker seems to have used non-kyc'd accounts to receive the ETH).
The hacker's ETH address: https://etherscan.io/address/0x8c9a02c89c96940e377052a9be0c7326f89a2495
The flaw doesn't appear to be from the wLEO oracle on Hive (meaning that they didn't push through a false conversion).
This narrows it down to just a few possibilities for how they exposed the wLEO contract.
What is currently unknown—
How the hacker was able to expose the WLEO contract in order to do this is still being under research
Is LEO Safe?
One of the top questions right now is about the security of LEO.
In short, yes - LEO is safe.
This hack only impacts WLEO on Ethereum and hasn't exposed any flaws in the Hive operations of LEO / LeoFinance.
It's a similar situation to if WBTC got hacked. If WBTC is hacked, then Bitcoin itself isn't exposed. Only the WBTC on Ethereum which represents BTC held in contracts is exposed. This means that the hacker can ravage the price of WBTC but they cannot impact the supply of BTC on the Bitcoin blockchain.
Similar situation here to WLEO / LEO — the hacker has impacted the price and supply of WLEO but cannot touch LEO itself since those WLEO's they minted cannot be unwrapped into LEO.
What About the Project?
Just as ETH recovered from the DAO incident and Bitcoin has recovered from the many attacks/exchange hacks, so too will LEO will recover from this hack.
The latest release of LeoFinance.io was slated to come out on Monday (tomorrow) to offer a whole set of new features including a refined onboarding process, Metamask logins/signups, WLEO operations, revamped wallet UI, and LeoInfra plug-ins.
This temporary setback will cause a slight delay in the release of the new LeoFinance UI update. The team is still aiming to release it this week but will focus on fixing the issues with WLEO first along with sorting through the remaining LP balances.
