On Saturday, June 19th we discovered that an attacker had obtained access to an account that managed some of the Hypervisor admin functions. The attacker was able to withdraw funds from deposits that were not yet placed into the LP positions. The withdraw amounted to $500k from a TVL of ~$3M. The attacker was not a member of the team and appears to have lacked full understanding of our emergency withdrawal safeguard. Stolen funds were thus limited to un-positioned assets and thus the $500k number was not arbitrary.
We have used our treasury funds to restore the token amounts withdrawn to each hypervisor, restoring user position values.
We do want to highlight our intentionally restrictive approach to this Beta launch including a very small whitelist and capping deposits at $5k per account. But with that said, our mistake was not using a multisig account for all admin functions of the Hypervisor. This has since been corrected: https://gnosis-safe.io/app/#/safes/0xF14c8b0aB465bd3D22D04495A8E25f75Da2ec16e
The reason behind this initial design decision was because we thought that it was not practical to have multiple people sign for managing frequent rebalancing on multiple pairs every time a rebalance was needed. We later chose to create an emergency withdraw function for our test Hypervisors pending our audit completion as a safe guard in case funds needed to be rescued. However, when we added the emergency withdraw function we did not move to a multisig as soon as we should have.
To be clear, there was not an exploit of any of the Visor contracts. Right now all admin functions of all Hypervisors have been assigned to a multisig and as soon as audits are completed the emergency withdraw function will be removed entirely. We realize the importance of permission management and will only adopt industry standards and best practices now and going forward. We recognize this is a particularly complex design space since it is dealing with both active management and safety of funds. We intend to contribute to this space as we move forward with our active management architecture.
We want to thank the Visor community for their support and feedback during this Beta phase as we continue towards an officially audited open launch.