[IMPORTANT] Community Update: WonderHero BNB Chain Bridging Withdrawal Compromised
9 Apr 2022 4:30 PM UTC+8 — This article has been updated with key updates
8 Apr 2022 11:30 PM UTC+8 — This article has been updated with key updates & community Q&A
//9 Apr 2022 Key Updates
At 5PM UTC+8: WonderHero website, marketplace and yield system will resume. Deposit & withdrawal, NFT Bridge and $WND-BNB staking will be disabled.
At 6PM UTC+8: WonderHero game service will resume with the Double Energy Event. Players can log in to the game and continue their epic battles. The Double Energy event will end on 11 Apr 11AM UTC+8. During this period, the energy max cap will increase to 24 and players will replenish 2 energy points every 2 hours instead of 1 energy point.
Players are also encouraged to complete all PVP challenge chances before the round concludes at the end of the week.
Our team will continue to monitor closely to ensure the safety of our community and the security of the assets.
//8 Apr 2022 Key Updates
With key considerations of safety and security of the game, the WonderHero developer team has conducted a thorough inspection of the game ecosystem and identified numerous affected areas concerning the bridge while the game’s assets on Polygon remain safe. Our investigation continues and we will provide more updates in this newsletter.
WonderHero Game will resume on 9 Apr 2022 [Time to be advised].
Upon closer inspection, all our players’ assets on Polygon are unaffected. The team has made the decision for WonderHero game services to be resumed as it is safe and the least impacted by the attack.
- Players can continue to earn $WND, $HON & NFT assets, however deposit & withdrawal of tokens in and out of the game will be disabled temporarily till further notice.
- Players can continue to play PVP Arena this week to earn the rewards, but this week’s ranking results will not be considered as the official winners. As this week’s PVP is affected by the attack, we will not announce the winners on our social media.
- Marketplace Buy/Sell will resume as the assets are on Polygon and unaffected.
- We will continue to roll out a new feature in the upcoming week. (Players can send NFT as gift to another account)
- Our team will continue to inspect and examine our game service exhaustively to ensure the safety and security of our players’ assets.
Token holders compensation preparation
We are going through the list based on the snapshot prior to the attack, and compiling the data of our token holders affected across various platforms like iSwap, Gate.io, and this includes unclaimed tokens from the IDO on Polkastarter. We expect this evaluation and checks of the affected token holders will be completed by 10 Apr 2022 (subjected to changes). Once this step is done, we will announce the following details.
- [tbc] Backend security checks and smart contract upgrades
- [tbc] Improvised and verified bridge
- [tbc] Full audit on smart contracts and bridge
- [tbc] Release of new $WND Contract Address
- [tbc] Compensation airdrop details
- [tbc] Bridging reopens with new liquidity pool (we will put the same liquidity amount prior to the attack)
- [tbc] Resume deposit and withdrawal of $WND/$HON from account to wallet
*tbc: above dates are to be confirmed.
//Original Article posted — 7 Apr 2022 22:47 PM UTC+8
Earlier today, there was an attack on our cross-chain bridging withdrawal via BNB Chain. Based on our investigations, the attackers managed to get the signature and minted 80M $WND on BNB Chain and traded through PancakeSwap for a total of 750 BNB which resulted in the sudden drop of $WND price.
The attack was first discovered on 7 April 2022, 14:53pm (GMT+8). The team took swift actions by suspending all services for users and blocked other attacks by the hackers by disabling all WonderHero platform services and trading on listed exchanges.
A thorough investigation will be done and details will be updated.
Users can be assured that their HON, WND, NFT and accounts on Polygon are safe. WonderHero website, marketplace, game and other services will be temporarily disabled as the team works on the rectification. A snapshot of users’ assets on BNB Chain prior to the attack will be taken. WonderHero is committed to not just making the game fun but also keeping the assets of our players safe and we will spare no effort in doing so. The team will conduct checks and leave no stones unturned. WonderHero’s contracts and bridge were fully audited by Hacken with the reports here: https://hacken.io/audits/#wonder_hero
What is going to happen next?
- The team will be working round the clock to rectify the breach on our cross-chain bridge.
- Internal checks followed by a full audit will be conducted for the entire system to mitigate all threats and to prevent any future exploitation.
- A new contract for $WND will be created and the new $WND tokens will be airdropped to our token holders based on the snapshot prior to the attack , before block 16731166.
- WonderHero will compensate 100% to all liquidity providers of the WND-BNB LP pool prior to the attack.
- Once the above are completed, the new $WND liquidity pool will start for trading again. WonderHero website, marketplace, game and other services will resume.
- We will announce the timeline for recovery of services on a later date.
- A bug bounty program will be planned after the audit to better protect users.
We would like to reassure all WonderHero ($WND) supporters that everyone will be fairly compensated with an airdrop of the exact same amount of $WND according to the snapshot taken before block 16731166. We would like to further inform everyone not to make any trades at the moment until the new contract has been issued.
“It is a regrettable incident, we will do everything we can to make WonderHero a fun and secure game for players. We would like to take this opportunity to thank the community for their trust and continuous support, this has only steeled our resolve to deliver a great game that offers both value and fun to our players. Our community can rest assured that my team and I are fully committed to bringing WonderHero to greater heights.”
- Ethan Ng, Co-founder & CEO WonderHero
For media enquiries, please e-mail firstname.lastname@example.org
19 Apr 2022 6:15PM UTC+8 — Updated with additional Q9 and Q10
1. How to check my block #?
Look at your transaction details on BSCscan.
2. Will I be compensated if I traded after the hack happens?
We will compensate our $WND token holders based on the snapshot before the attack happens.
3. Why is the DEX open for trading when CEX is closed already during the hack?
Unlike centralized exchanges, DEXs fundamentally have no recovery ability because all transactions are processed and stored in smart contracts on the blockchain without any owners or overseers. We urge our community to stop buying, selling the $WND, as the attacker may stand to gain more during this period.
4. What happens to my WND in GATE & HUOBI?
We are working with the exchanges at the moment and will advise on the details when the solution is ready.
5. What if I transferred my tokens to another wallet?
As mentioned in our announcement, we will be issuing a new $WND contract address, the $WND of the old contract address will be voided.
6. Can I still trade WND?
We urge our community to stop buying, selling the $WND, as the attacker may stand to gain more during this period. As mentioned in our announcement, we will be issuing a new $WND contract address, please wait and before that happens, it is to the best of your interest to stop trading.
7. What will be the value of the token after the new contract address is created?
The price of the token after the new contract address will be based on the snapshot before the attack happens.
8. What will happen to the unclaimed tokens in staking?
All your game assets, NFT, Tokens as well as those that are in staking are safe. The same amount will be matched after the new contract has been released.
9. Can I trade my WND on HECO and HUOBI?
$WND on HECO and HUOBI were not affected by the attack so users can trade normally.
10. Can I trade my WND on PancakeSwap, Gate.io or other exchanges?
$WND token holders on Gate.io or other exchanges and $WND liquidity providers on PancakeSwap are highly advised NOT to trade and refer to the [Token Holders Snapshot Evaluation] section in our recent announcement: https://swiy.co/whbnbchain16apr