Dear NULS Community:
As previously reported, NULS mainnet was recently compromised and 2 million NULS tokens were stolen from the NULS team account. After thorough investigation of the compromise, a vulnerability was discovered in the NULS transaction signature verification logic. The hacker(s) used a sophistically constructed transaction to bypass the verification link, the node confirmed the transaction and transferred 2 million NULS from the NULS team account (NULSd6HgbfkSuRGKSLJJzAPAihgDQtaUhuE4L) to the hacker’s address (NULSd6Hgie AzRMb6e1fKLu1xrfijnuRVRXY). These assets were then dispersed to multiple addresses with the intention of moving them to secondary market exchanges.
After detecting the compromise, the NULS team immediately contacted the exchanges to freeze the assets, urgently troubleshot the problem and fixed the vulnerability. The team then released a new version of the mainnet wallet and decided to perform a hard fork at the block height of 878000. At present, the adverse effects of the incident have been completely mitigated by the NULS team.
Of the 2 million NULS transferred by the hacker(s) from NULS team account, 548354.34696095NULS have entered the trading market, and we have communicated with the relevant exchanges to attempt freezing those assets. After the hard fork, the 1451645.65303905NULS that did not enter the trading market will be destroyed by permanently freezing them to avoid any further potential loss.
Asset security is the life of a blockchain project, and this security incident is a wake-up call for the NULS team, which will conduct more rigorous and comprehensive code reviews. Thank you to the NULS community members, node operators, trading platforms and industry media for their attention and support during this unfortunate incident.
As a result of these conservative security measures, there may be some NULS assets inadvertently locked on one of the major exchanges wallets. If you believe you have NULS assets that may have been inadvertently frozen, please contact the team and we will open a community proposal within the NULS governance mechanism to begin the process of unlocking those frozen assets.
Lastly, through the cooperation of some of the exchanges, we have obtained sufficient evidence against the perpetrators, and we will take legal action to hold them fully accountable.
Thank you for your patience and continued support.
December 24. 2019
Attached to this document is a list of all the accounts involved.
NULS Team Wallet Address
The following are the addresses the perpetrator(s) disbursed the NULS to and have been frozen
Access to exchange accounts :
NULS — Nothing Makes Blockchain Easier