poidh december 8th exploit

a full account

On Monday, December 8th, poidh was exploited for ~$500 worth of ETH (.17Ξ) via a flaw in our open bounty system. The attack happened at roughly 11 am PST and broke our indexer. The indexer had failed before, so our assumption was not that an exploit was underway, but that we had a simple backend issue that was stopping the website from displaying new information.

However, when the indexer restarted, we saw the updated front end with bounties that had been exploited. Immediately, we published a warning.

After announcing what had happened, we were lucky to have horsefacts take a deeper look at the exploit (of his own accord). He then reached out and let us know how the vulnerability was executed (see breakdown from Claude here), and that there was another vulnerability that the hacker had not found. He asked if we wanted to run a white hat hack to remove all user funds.

We said yes, and horsefacts executed the transaction to rescue user funds on our Arbitrum and Base smart contracts—which held the majority of user funds.

We used these rescued funds to make all users whole who had bounties still in progress on the app via Arbitrum and Base.

At this time, the Degen Chain contract is still live and can have bounties finalized, but we ask that no one add more funds to the contract. There are minimal user funds still available (<$50) and, should the contract be exploited, we are fully prepared to refund users who did not retrieve their funds.

next steps

poidh is rebuilding and will launch a revamped, secure poidh v3 contract. If you are a smart contract developer who'd like to help, please reach out to us via X or on Farcaster.

While working on v3, we'll also be celebrating the accomplishments of poidh v2 and taking some time off for the holidays. We appreciate the entire community's response to this incident; everyone has been amazingly understanding and supportive. That support will always be remembered.