Social token platform Roll suffered a hot wallet breach, resulting in hackers draining at least 3,000 ETH worth $5.7 million on March 15.
At roughly 8am UTC, digital asset management platform MyCrypto reported that a hacker may have compromised the private keys for Roll’s hot wallet, allowing them to transfer funds from users’ accounts at will.
After approximately 12 hours, Roll responded to the attack, announcing the hacker had stolen and liquidated a large number of tokens, and that withdrawals had been suspended across the platform:
“The attacker has sold all the tokens. There is no further user action suggested.”
Roll added that it had launched a $500,000 fund to “help creators and their communities” affected by the incident.
The attacker stole 11 different social tokens, including $WHALE, $RARE, and $PICA. The stolen funds were then transferred to Tornado Cash, a privacy tool often used by hackers to launder stolen funds. The hacker then traded the tokens for Ether on the popular decentralized exchange, Uniswap.
Markets for the tokens stolen in the breach began to dump within hours of the attack, quickly accumulating losses of more than 90%. Some of the worst-hit included $PICA, $WHALE, and $FWB, who plummetted 99.6%, 99.3%, and 92.35% respectively.
As a result of the attack, the market cap of social tokens on the platform fell from $1.5 billion as of March 12 to $365 million as of this writing.
With only 2.17% of its supply compromised, $WHALE was one of the only tokens to quickly recover, trading above $30 at the time of writing.
A social token is an ERC-20 token users can create on platforms like Roll in order to engage with their community or sell assets.
Roll’s reaction to the breach has garnered mixed reactions on Twitter, with the $500k fund receiving particular attention.
500 000$ fund??
I’m a creator and our community just lost EVERYTHING..
The $PICA just went to 0…
I lost like months of salary
As smaller creative communities we just expect more than this.. Hoping for a full refund. Confidence there will be seriously damaged either way
— Maxime Hacquard (@HacquardMaxime) March 14, 2021
Twitter user “LoB” added: “$10 million in a hot wallet without the multisig that you promised creators was in place, 12 hours to make a response to the incident, and $500k to be split across a dozen projects? Yikes.”