HBOT Nomad hack: post-mortem and next steps

Hack recap

As announced in this June 2022 blog post, Hummingbot Foundation bridged HBOT tokens to the Avalanche blockchain using Nomad Protocol, in order to enable HBOT holders who received Hummingbot Miner payouts and the Hummingbot community in general access liquidity on a more gas-efficient yet EVM-compatible blockchain.

On Monday August 3, multiple hackers illegally accessed the Nomad ERC-20 bridge contract and stole 11.8M HBOT tokens. They were able to hack the contract because the Nomad team inadvertently introduced a bug while upgrading the contact that allowed anyone to execute transactions to siphon tokens out of the contract.

Since the hack transpired:

  • 1.2M hacked HBOT tokens have been returned to the Nomad recovery address
  • 6.0M hacked HBOT tokens have been sold in the Uniswap USDC/HBOT pool, the only decentralized or centralized exchange where HBOT currently trades
  • 4.6M hacked HBOT tokens still reside in hacker wallets. This represents 0.46% of HBOT total supply, and 7.44% of current (post-hack) HBOT circulating supply

On the Avalanche blockchain, since the 11.80M HBOT (ETH) tokens stolen in the Nomad hack were the collateral for HBOT (AVAX) tokens, the HBOT (AVAX) tokens are effectively rendered worthless.

To protect the AVAX used to create the TraderJoe liquidity pool authorized in this Snapshot, Hummingbot Foundation has withdrawn all liquidity from the pool, and those tokens now reside in the Foundation Avalanche wallet.

Current HBOT (AVAX) holders include:

  • 10M+ belonging Hummingbot Foundation, which is currently held in its Avalanche wallet along with the AVAX tokens used to create the TraderJoe pool
  • 263K belonging to community members who received HBOT rewards on Avalanche, along with community members who had bridged their HBOT from Ethereum to Avalanche.
  • 915K belonging to CoinAlpha for future Miner reward distributions

Status quo

  • Currently, the only venue where hackers can dispose of their remaining 6.8M in stolen HBOT is the Uniswap USDC/HBOT pool. The Ethereum-based HBOT token is not listed on any other decentralized or centralized exchange.
  • Even though hackers have sold 6M tokens (a majority of their hacked HBOT), the market price of HBOT has remained relatively stable. Currently, the HBOT price of the USDC/HBOT Uniswap pool is 0.0079, approximately 10% lower than before the hack.
  • Since liquidity providers have removed a substantial amount of liquidity from the pool after the hack, the pool currently only holds 2.9K USDC and 550K HBOT tokens, limiting how much the hackers can profit from selling their HBOT
  • However, this also limits liquidity for honest Hummingbot community members who receive HBOT as developer grants and other purposes. The hackers hold 7.4% of the current HBOT circulating supply, so they would likely consume any liquidity added
  • So currently, it’s a standoff: the hackers can’t profit much further from their illegally-gotten gains, but the Hummingbot community can’t increase liquidity for HBOT without enabling the hackers to profit further from selling down their HBOT

Reimbursement

  • Our first priority is reimbursing HBOT (AVAX) holders, since it’s their tokens whose collateral was stolen in the Nomad hack.
  • Hummingbot Foundation proposes to reserve the 1.2M HBOT tokens that have been returned to the Nomad recovery address for these affected users, with the remainder reverting to the Foundation. In order of priority, this includes:
    • 263K belonging to community members who received HBOT rewards on Avalanche or bridged their HBOT from Ethereum to Avalanche
    • 915K belonging to CoinAlpha
    • Any remainder to the Foundation
  • After Hummingbot Foundation receives the 1.2M HBOT tokens from Nomad, we will reimburse the affected HBOT (AVAX) holders, based on a pre-defined Snowtrace snapshot, by sending them an equivalent amount of HBOT on the Ethereum blockchain.

Re-issuance

  • In addition to the proposal above, we lay out how a possible HBOT re-issuance plan could work.
  • Currently, Hummingbot Foundation does not plan to go through with it due to the operational work and effort entailed, but if the community believes this is necessary and approves a governance proposal ratifying it, we would execute the plan.
  • Since the HBOT token is not listed anywhere besides the Uniswap USDC/HBOT pool and the majority of the holders are locked up in smart contracts, it would be possible to re-issue the HBOT token while freezing out the hacker balances
  • If HBOT were to be re-issued, Hummingbot Foundation recommends that it be natively re-issued on a non-Ethereum EVM-compatible chain such as Arbitrum, Avalanche, or Polygon, since it would substantially save on the gas costs associated with re-issuance. Moving forward, this would solve the transaction cost issue for HBOT holders without the need to bridge HBOT to another chain, which inherently adds security risks

How would re-issuance work?

  • Hummingbot Foundation creates a new contract on the destination chain identical to the existing HBOT (ETH) contract
  • For locked-up HBOT holders, we create vesting contracts on the destination chain identical to the existing vesting contracts on Ethereum
  • We airdrop the new HBOT tokens, on the destination chain, to addresses which are holding HBOT as of a certain block on the Ethereum chain, with the exception of 1) HBOT hacker addresses, 2) the Uniswap USDC/HBOT pool
  • If the community deems it necessary, we would create a new Uniswap(or similar AMM) HBOT pool on the destination chain.

How much would re-issuance cost?

  • Time: We estimate that it would require 2-4 weeks of full-time effort by a majority of the Foundation staff, in order to take balance snapshots, write and deploy smart contracts, test/execute transactions, and communicate what transpired to affected HBOT holders.
  • Money: Assuming that HBOT is re-issued on a different EVM chain, approximately $1K in gas costs. If Ethereum, $10-20K in gas costs.

Next steps

  • As described above, Hummingbot Foundation will reimburse the affected HBOT (AVAX) holders as soon as it receives the 1.2M HBOT tokens from the Nomad recovery address.
  • While the Nomad hack was unfortunate, it only affected 1% of the total HBOT supply and a majority of the hacked tokens have already been sold without substantial price impact on HBOT.
  • Therefore, Hummingbot Foundation does not plan to act upon the reissuance plan described above, but if the community believes this is necessary and approves a governance proposal ratifying it, we would execute the plan
  • We welcome questions and feedback as replies to this topic or in the #hbot-token channel on Discord

Looking at overall situation, I would not recommend for re-issuance.

Would still prefer that HBOT will still have a pool in Uniswap, and trading pair with ETH.

On the other hand, would also prefer to have alternative network or chain in near future, whereby it will have cheaper transaction cost. There are reports that ETH 2.0 may still not prevent higher gas fees.

With cheaper transaction costs, we can create gateway v2 strategies or scripts like “DCA script for DEXes” idea by Alkhalifah-blockchain (for accumulating HBOT), distribute rewards to community even in relatively smaller quantities, and other use-cases.

I do not have preference for alternative network or chain at the moment.

Finally, I am glad that holders in Avax will be refunded.
This situation may just be a bump, for the long road/years ahead. :clinking_glasses: