Important Notice to Definians!
As of this article being published, we have paused the feature of minting heroes from all V2 Mystery Boxes and disabled buying and selling Mystery Boxes from the secondary marketplace. We have also paused the feature of redeeming the Mystery Ticket to Mystery Box feature. Meanwhile, please do not do any over-the-counter trade at the moment until further notice.
We’ve got a report from the community member and did an investigation after his report.
Timeline Transparency Report:
Tuesday, Dec 28th
- We got a report from a community member that he has found suspicious activities from different wallet addresses.
- We collected the suspicious addresses and did an investigation to find out the pattern of the behavior.
What we found out:
The hacker bought BNB from FTX exchange and swapped the BNB to FINA through Pancakeswap to purchase Mystery Boxes from our secondary marketplace. The hacker then exploited the Mystery Box V2 Smart Contract to mint SSS heroes and SS heroes from the Mystery Boxes, disregarding the actual drop rates. The hacker then tried to hide the smart contract exploitation by putting the hero for sale on the secondary marketplace or staked them into the game.
We paused the purchasing of Mystery Boxes to prevent him from further purchasing more Mystery Boxes. And the developers had a meeting to look into the smart contract and solutions for a new smart contract.
We had a theory about how the hacker exploited the contract but we are not able to repeat the action to prove the theory. Thus, we are offering a Bounty Program to the first person who could repeat his exploits on the testnet.
Testnet Contract for V1 Mystery Boxes
Contract Address 0xc648e8ef17b242513f897d74409e2d20084d2060 | BscScan
The Contract Address 0xc648e8ef17b242513f897d74409e2d20084d2060 page allows users to view the source code…
Testnet Contract for V2 Mystery Box
Contract Address 0x07d52d6df2f259f6002916a7dc535f44ebef9c10 | BscScan
The Contract Address 0x07d52d6df2f259f6002916a7dc535f44ebef9c10 page allows users to view the source code…
Wednesday, Dec 29th
- We did further investigation and traced all his transaction history of all related accounts.
- We marked his wallet addresses and NFTs that the hacker holds through the tag feature using BSC Scan.
- At the same time, we worked on the new smart contract.
Thursday, Dec 30th
- We informed our marketplace partner (TheForce.Trade and OKEx) to take down all the heroes the hacker has put on sale to prevent the hacker from making more profits after tracing down his holdings.
- We found out his telegram ID and reached out to him for a peaceful solution plan. We are willing to pay him the money he has spent to purchase the Mystery Boxes from the secondary marketplace to have those NFTs back to us.
Plans on the Exploited NFTs
The team’s current plan is to get the NFTs back and then use it to reward the first reporter and the person who successfully uncovered the smart contract exploit in the Bounty program. We will giveaway the remaining NFTs via community events to give the NFTs back to the players and community members. The current plan we have is to do a lottery draw weekly. The Defina players could get a lottery ticket (priced at 2.5 FINA), and those who are new to Defina will need to pay 5 FINA for a lottery ticket. We will do a weekly draw to giveaway the SSS to a winner. 50% of the FINA we received from the sale will be put into the PVP arena reward pool. The remaining 50% will be sent to the black hole to deflate FINA.
Below is the list of the hacker’s addresses and NFT IDs that he still holds:
If you’ve traced any more suspicious addresses, please report to us! We will reward 20 FINA for each suspicious address.
If your NFT is mistakenly listed on the spreadsheet, please contact us through support ticket on Discord or send us an email to email@example.com
We will do a verification process and once it’s verified, we will remove the blacklist.
Note: Please do not buy those NFTs over the counter as we will blacklist those NFTs from our game server (those will not be able to be used in our game).
Another Note to the Hacker:
We are giving you 12 more hours to reach out to us so we could purchase those NFTs back from you. This is our final offering and prefer to encourage you to peacefully work it out with us.
If we did not get anything back from you before the deadline, we will blacklist all the NFTs you currently own and put a tag on them to prevent players from being purchased. The blacklisted NFTs will also not be recognized by the game server.
Note: At the moment, player will not be able to search and find those NFTs on our secondary market. However, the hacker may offer you an over the counter sale through other platform, so please do not do any OTC trade.
The new Mystery Box Smart Contract is completed [V4].
Our new smart contract on Testnet:
Contract Address 0xCA80F30D6e221D9306e0DA37B010C166c7E3D6e7 | BscScan
The Contract Address 0xCA80F30D6e221D9306e0DA37B010C166c7E3D6e7 page allows users to view the source code…
We will do the following:
- Audit the new smart contract. We will pause the current Mystery Box smart contracts and take a snapshot of the current owners.
- If we couldn’t get the NFTs back, we will then add the same amount of Heroes back to the Mystery Box hero pool so the community members could still pull those heroes out. [Since we blacklist the effected NFTs, and the server will not be able to recognized them, it act as a “burn”]
- The players who hold old Mystery Box(es) (from V1 to V3) at the time of the snapshot will be able to swap their existing boxes to V4 Mystery Boxes on a one-to-one basis after we deploy the new contract.
- The trading feature and minting feature will go back to normal after we deploy the new smart contract.
We will inform you once all the above are completed through an another social announcement.
New Smart Contract Highlight:
- We used Chainlink VRF to increase the security of our smart contract
- We will offer our community a bounty program to triple-check our smart contract to ensure max security.
Defina does not tolerate behavior that cheats the system and we will take action against it. Once again, fairness and security is one of our top priorities and we will maintain this in the future. Thank you for supporting Defina.
About Defina Finance
Defina Finance is a fascinating blockchain game that combines the concept of Defi and NFT. Players can buy or collect various NFT Mystery Boxes to get heroes & weapons as well as fight and enhance their champions to learn skills in numerous game scenarios. Players can participate in Defi yield farming and earn abundant on-chain earnings while enjoying a fun and strategic game with PVP and PVE modes. Defina’s vision is to bring blockchain to millions of players, allowing them to explore a new form of gaming through blockchain technology. Come create-to-earn with us as we build the Defina metaverse together!
Define your destiny, conquer your enemy & earn FINA daily!