Open in app

Sign in

Write

Sign in

[IMPORTANT] 16 Apr Community Update: WonderHero BNB Chain Bridging Withdrawal Compromised

WonderHero
5 min readApr 16, 2022

--

16 Apr Updates

Background: WonderHero is a multi-chain project that utilizes our proprietary WonderHub for cross chain transactions, primarily for Polygon and BNB chain. To facilitate a cross-chain transaction, tokens need to be burned on the initial chain and the same amount of tokens are to be minted on the destination chain to be withdrawn.

// DETAILS OF THE ATTACK

On 7 Apr 2022, a hacker invaded WonderHub, bypassing the risk control module to gain access to the cross chain withdrawal interface on the BNB chain.

The hacker then utilized the back-end signature server and the smart contract for WND minting on BNB chain to mint 80M WND. On 7 Apr 2022, 07:05:27 AM UTC, the hacker sold the 80M WND on PancakeSwap for 744.374 BNB.

https://bscscan.com/tx/0x20dabda59dd46d45a7b6b5b324830159fb108cd2119232d7f0056d8085de17e1

Between 7 Apr 10:34:56 AM UTC to 10:40:32 AM UTC, the hacker utilized Tornado Cash to make private transfers of the BNB. Tornado Cash is a token mixing platform that severs the link between the initial sender and its destination which makes the online transactions private and untraceable.

https://bscscan.com/tx/0x5df27cd7c12e08020ed6b38d51929e2ffc23914a520c2ca494d2ef1f32baa470

Prior to the attack, the safety and security of WonderHero smart contracts were audited and recognized by our auditing agency Hacken, however, this malicious attack has shown that there are areas we need to improve with WonderHub’s security and risk control.

// ACTIONS TO ENHANCE SECURITY AND INCREASING RISK CONTROL

After an exhaustive security review, our team has formulated a comprehensive enhancement plan and we target to complete all the upgrades before we release the new WND tokens.

  1. Mitigate the current risks of WND minting that exist during cross chain token withdrawal, we will adopt a transfer method using a Token withdrawal pool. This will enable us to control the amount of WND token in the pool at any point of time.
  2. Deploy real time monitoring of the WND minting on the BNB chain, and reinforcing it with a time lock and secondary audit mechanism. The time lock mechanism will prevent hackers withdrawing from the token pool immediately, giving our team time to prevent damage from taking place.
  3. Improve the development team system and processes, as well as giving the risk control team more power to decide against major technical risks by implementing a veto system.

Alongside these stricter measures, our team will continue to monitor and evaluate for potential risks to deter future attacks.

// TOKEN HOLDERS SNAPSHOT EVALUATION

For WND token holders and WND liquidity providers, please take note of this section. Our team has also taken the snapshot prior to the attack on 7 April 2022, 14:53pm (GMT+8) before block 16731166, and here is the breakdown after the evaluation of the token holders situation:

Categories of UNAFFECTED WND Token holders
—NO ACTION REQUIRED By WND Token Holders

  1. [WND tokens unaffected by the attack]
  • WND deposited into the game account
  • WND earned from WonderHero in-game
  • WND earned from PVP rank and lottery rewards
  • WND earned from NFT staking.
  • WND on the HECO chain.
  • WND on Huobi Exchange

The list above are $WND token holders on HECO and Polygon, and were not affected. Hence no airdrop will be given and exchange of new tokens is not required.

2. [WND tokens affected, but no action required by token holders]

  • WND on BNB Chain address. (eg. WND on Metamask wallet)
  • WND in Stake WND earn HON pool
  • WND in Lock WND
  • WND earned from WND-BNB LP and is yet claimed.
  • WND on Gate Exchange (we are currently in talks with Gate and will strike a recovery solution.)

3. [WND-BNB LP tokens affected, but no action required by WND Liquidity Providers]

  • Hold WND-BNB LP on BNB Chain address
    We’ll airdrop new LP tokens to the wallet address.
  • Stake WND-BNB LP on WonderHero staking platform.
    We’ll release a new LP staking pool and airdrop the same amount of new LP tokens in.

If you have $WND on the 3 lists above, no action is required. Based on the snapshot prior to the attack, for point 2 & point 3 of the list, new $WND will be airdropped to replace the old tokens when the new contract address is released. New WND-BNB LP tokens will be airdropped to the previous wallet addresses.

Category of affected WND Token holders
 — ACTION REQUIRED By WND Token Holders

  1. [WND tokens that are affected, actions required by token holders]
  • If you have $WND in non-official smart contract addresses (eg. unredeemed $WND tokens from IDO), you will not receive the airdrop directly, please contact us via our support system on app.wonderhero.io.
  • If you have WND on other exchanges besides Gate.io and Huobi, please contact the respective exchange directly for replacement of the tokens. As we will need to work with each exchange individually to resolve the issues, a longer duration may be expected.

// NEXT STEPS

Our team is targeting the release of the new $WND token by 28 April 2022. The following steps will be completed prior to the release of new $WND tokens:

  • Snapshot details will be published on our website for $WND token holders.
  • Backend security checks and smart contract upgrades to be completed.
  • Improvised and verified bridge.
  • Full audit on smart contracts and bridge.
  • Release of new $WND Contract Address. (Once the new contract is released, the old $WND contract will be severed from WonderHero.)
  • Bridging reopens with new liquidity pool. (we will put the same liquidity amount prior to the attack)
  • Resume deposit and withdrawal of $WND/$HON from account to wallet.
  • Airdrop new $WND token to token holders.

Please note that the date is subject to changes as it is depending on the team’s development progress and available audit by Hacken.

During this period, we continue to urge our community to not trade $WND. There are multiple scams going on, please stay vigilant and share this update to protect and keep our community informed.

To most gamers, gaming is life, and to some, life is gaming. We want to thank our community for the patience and the unwavering support during this period. The team has been relentless and unyielding on our mission and vision, and this is a longer process as we do not want to shortchange our community by rushing it without a deliberate recovery plan.

There are no shortcuts to overcome this setback, our team is committed to bring WonderHero to great heights and we are here for the long ride. Our mission will go on regardless of pitfalls and hurdles, hence the team is preparing an AMA titled “WonderHero 2.0” shortly before the release of the new tokens. Stay tuned for the date.

For media enquiries, please email Ian at ian@wonderhero.io.

// Link to earlier announcements:
8–9 Apr Community Updates & FAQs

Nft
Blockchain Game
Crypto Gaming
P2e
Play To Earn Games

--

--

WonderHero
WonderHero

Written by WonderHero

3.1K Followers
2 Following

WonderHero is NFT play-to-earn mobile game. The game is a turn-based MMORPG for iOS/Android where players collect Heroes, enter RPG combat and earn tokens.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams