TLDR: There was no hack in the VOX drop, no contract vulnerabilities, etc. There are some fundamental weaknesses in the way ETH handles randomness which were exploited by someone pointing a massive amount of hashpower to break down some of the random aspects. This is why we are building beyond ETH as fast as we can.
As many members of the Gala Games Discord noted, earlier today there seemed to be a guy who was hitting the contract to redeem VOX and seemed to be getting a bit TOO successful in terms of his random mint pulls.
The question was immediately asked, “HOW?!?!”, immediately followed by “OMG HACK!” and “RUGPULL.” This hyperbole is as baked into crypto as terms like “HODL” and “MOON!” but they deserve a deep explanation of exactly what transpired to see exactly how intensely the VOX collectable series has captured the imagination of people.
Firstly, in order for this to make sense, you need to understand how “randomness” works on Ethereum. The VOX Mint had five elements of randomness (or pseudo-randomness) inserted to keep the mint random.
- A keccak256 hash of the Chainlink VRF seed
- The sending wallet address
- The block height
- The block time
- The block difficulty level
First, the VOX were hashed using the Chainlink VRF Seed, then when a transaction hit the contract, the block height, time, and difficulty permuted that initial hashing to pull a specific VOX from the index and deliver it to the user’s address.
So, this is what we believe happened given the information that we have:
- Someone reverse engineered the Chainlink seed by emulating and debugging the contract locally. Yes, we could have called a new Chainlink seed for each operation of the contract, but this would have dramatically increased the swap cost. Next time, we will likely do this, as well as make a few other changes.
- They then used a combination of a massive private mining pool / block auction house to make sure that they could choose the exact second and block when their transactions were executed. It had not occurred to us that someone would devote those kinds of resources (since this person was essentially going against all of the rest of the cumulative ETH miners globally to do this) to this. Going even a second in one direction or another would result in a different result.
These transactions were specifically constructed to skip the ETH mem pool altogether, initiating several steps:
- Purchase of a VOX box from OpenSea
- Exchange of the VOX box via the smart contract, bypassing the website altogether
Each transaction had BOTH steps of this written into the same block, which they then manually mined using their own private mining pool.
This is FAR beyond the complexity that we anticipated, and, while it is indisputably a crappy experience, really shows how awesome the VOX are in their artistic and utility prospects. It was such an impressive side-step around ETH as a whole, that it shows we will clearly need to beef up the randomness via a variety of methods in the future VOX drops.
The bad news is that once this process has been started, there isn’t anything that can be done. The contract can’t be paused or “reset.” This is the blockchain, and what is done is done, and who would want to buy into an NFT project if you knew the devs could just turn off the mint. It sucks, but it is the way of the world.
The good news is that this actor only seems to have become active towards the very end of the exchange process, and while they minted more than their fair share of certain rarities, the fundamental rarity of the VOX was not in any way compromised. He got one in on us this time, but he isn’t going to do that again.