On October 7, 2023, several community members reported abnormal declines in Delegation numbers. After checking the on-chain data, we found that multiple Vault Owners were maliciously extracting delegators’ staking rewards by unjustifiably increasing the commission percentage.
The on-chain issue has been resolved through an upgrade, and we will soon provide compensation for all affected delegators within 1 month.
Some Vault holders reported that this conduct was the result of hacking, due to their addresses being stolen. Fortunately, most of the funds have not been lost. These Vault holders will return these funds to the community. This simultaneously serves as a reminder to other community members, to pay attention to the security of accounts and keep your mnemonic phrases safe.
The addresses and Vault PIDs of those caught in the malicious conduct are as follows:
|ID||owner address||PID||Cheating date||Mark|
|5||45etpeyNYjT6W9B4i15kUzPteUvVLgFRU5zgbGJNgKmtYsnk||4034||2023/9/8 2023/9/22 2023/9/26 2023/9/30||Unable to get in touch|
If you did not hold any delegation in the Vault at the specified time as above, you will not be affected.
Among these, Addresses ID 1-4 are controlled by the same entity, and Address ID 5 is another entity.
We conducted detailed analyses on those engaged in this malicious behaviour, identifying the addresses associated with two culprits:
The team associated with these addresses promptly contacted the Phala team recently. They reported the information about the accounts being stolen, and also that most of the misappropriated funds are still within the addresses. This team will cooperate with the solution for this incident and make a full refund to the affected delegators.
**Related Address List: **
Public informations registered by the Vault owner:
Email: [email protected]
Email: [email protected]
Relationship of Malefactor Vault owner A’s addresses（Link of Map）：
Address On-chain Authentication Information:
Email: [email protected]
The primary intent behind the design of the Vault was to reduce the difficulty Phala users had in staking. Prior to the launch of the Vault, delegators had to understand and manually claim staking rewards every day. The Vault uses an on-chain design similar to that of an LSP, which allows the Vault Owner to use professional management to execute staking strategies on behalf of users at low risk.
A characteristic of the Vault is that only those with high community influence can amass a sufficiently high delegation. The larger the Vault, the more users there are, and the greater the owner’s influence. If Vault owners act maliciously, the larger Vaults could potentially cause significant harm, but the risk of being discovered and losing reputation also increases.
Due to the limitation on the number of transactions in a single block, we are unable to automatically distribute Vault commissions with the distribution of mining rewards. That’s why we adopted a manual rewards withdrawal mechanism for the Vault, requiring Vault owners to manually apply for commission distributions.
There were two key actions in this instance of Vault owners behaving malignantly:
- Changing the Commission: The Commission is the percentage of commission set by the Vault owner.
- Settling Vault proceeds: When the Vault owner manually chooses to settle the Vault proceeds, the Phala on-chain system would settle the revenues between the Vault Owner and Vault Staker according to the Commission. The settlement reference is the value increment per share brought by all the mining rewards within the Vault between this settlement and the previous one. This increment times the commission ratio, and then times the number of Shares in the Vault, is the number of proceeds for the Vault owners in this settlement.
Prior to the exposure of this issue, the on-chain implementation allowed the Vault Owner to increase the commission, which not only affected future commissions but also all unsettled commissions from the last settlement until now.
This allowed the Vault Owner to continuously adjust the commission and manipulate settlement times to extract interest profits from the delegators, regardless of the reputation of the Vault.
Initial statistics show that 246 users were affected by this malicious conduct, with a total loss of about 704872.53 PHA. Detailed records of the Vault Owners’ cheating profits can be found here: Vault cheater claim records
This month, we will refine the calculation of the actual number of affected individuals and the associated losses through codes, as well as tracing back all records and impacts of similar incidents since Vault function was launched. Becasuse of the complex logic for calculating, it takes time to sort out the information. Thanks for your patience.
To date, we have forced all Vaults to automatically calculate before modifying the commission through an on-chain upgrade. This mitigates any impact on the earnings of historical delegators during the Vault settlement.
Simultaneously, for all the similar behaviors that we’ve traced back to since the launch of the Vault function, we will compensate for all losses through the mining rewards account and do so via an on-chain referendum. The specific methods of compensation and compensation list will be publicly disclosed in sync with our tracing records.
Also, the primary Vault holder involved in this incident will be refunding the funds associated with this event. The refund records will be publicly displayed in sync with the tracing records.
- If you discover similar behaviors in other Vaults, please feed back the vault ID to this post on the Phala forum as soon as possible: Report bad stakepools&Vaults!. We have a global amb team and they can also help your issue to us. Feel free to contact them when you need help.
- If you have not staked to any Vaults in the aforementioned list, there’s no need to panic. This incident will not affect you.
- If you have staked to Vaults in the mentioned list, please stay tuned to our community announcements. We will announce compensation information as soon as the damaged records are completely retraced.
- Take care of your mnemonic phrases, keep it safe!