On the 8th April around 00:30 UTC, an exploiter was able to constantly grab the contents of the RADS pool and all of the RADS/sRADS rewards and sell them for $1.3Mil worth of BUSD and BNB. This drastically dumped the price of RADS and the exploiter then transferred the BUSD and BNB to his wallet.
As soon as we received the information regarding the exploit, we immediatly alerted our community on Telegram and tried to respond to everybody’s concerns. At the same time, our team was hard at work trying to find the best solutions.
However, because of our extensive timelock, we couldn’t fix the issue immediately, and had to wait 24 hours for the rewards to be completely stopped.
Of course, we take full responsibility of this incident and apologize to all of you who joined the Uranium project. We have been privately audited before the launch and tried our best to avoid this kind of issue, but it was clearly not enough this time. This is definitely a hard-learned lesson.
The recovery of the funds
We could identify the wallet of the exploiter (https://bscscan.com/address/0x36ad9ee78bfb730955993d2aa77ecccf95e3313e) and saw that the initial funds transferred on it were directly coming from a Binance hot wallet, so that he could potentially be identified. We then launched a call on Twitter to Binance in order to help us. At the same time, we made a public request to the attacker to give him a way out of all of this, by sending us back the majority of what he stole, but keeping a part of what we called a “bug bounty”. Of course, we didn’t really like the idea of negotiating like this with the guy who stole the funds, but we judged that it was the best we could do in the interest of the Uranium platform, it’s investors, and the team. Finally, friday 04/09, the exploiter texted our community managers and admins to take up the offer. After some negotiation, he informed us he was ready to send us back $1,000,000 if we agreed to not take any further action against him and let him be. A few minutes later we got the funds back as ETH here : https://etherscan.io/address/0x0854Ec1Af3bA4B8517DAf0D548C58b9e20096076.
How will this amount be used?
First we’re going to take back all of it into the BSC (of course, for every transaction, we’ll publicly communicate a txid). Absolutely all of it will be sent to the money pots : a part of it will be distributed as dividends for the launch day of the v2, the rest will go into the bonus money pot, and will progressively be sent to the pending money pot. We still have to decide about the ideal repartition of the amounts yet between the two, and we’ll keep you informed about that.
How about the old money pot ?
We have currently a bit more than $100,000 in the v1 fee manager (the step before the pending money pot), and ~$80,000 in the v1 bonus money pot. All of the amount is totally stuck right now as we don’t have any way to withdraw it. However, for the pending money pot we have the possibility to make swaps inside of the fee manager (this function was used to convert all the fees we received into wBNB and BUSD only for the rewards).
We’ll set a script to constantly make swaps on the v2 pairs with those funds, until they are depleted from the fees. That’s kind of a workaround to handle it, but that’s the best we can do as the fees will go to the v2 sRADS holders.
However, the bonus money pot is completely locked, as the only thing we can do with it right now is to send it to be distributed, or to let it locked forever. We didn’t want the exploiters to steal the dividends’ content, that’s why we chose to completely stop the dividends distribution after the attack, but now that most of the maliciously acquired rewards have been sold, the only thing we can do is to distribute it to the current sRADS holders. It will be distributed on Sunday, April 11.
The launch is planned for next week. We have learnt from our mistakes so first, we will make Uranium publicly audited. Our strategy is to release V2 as soon as possible but we’re aware that people can’t just give trust without some concrete material.
We have been actively prospecting quite a lot of companies to get some quotes and find the ones with free enough schedules, as most of them currently have a lot of queued projects yet.
We’re close to set some deals though, and will probably be able to communicate about this in a couple of days at most.
The first step before the launch will be to compensate at best our v1 investors. We’re conscious that we definitely can’t satisfy everyone, but we’re trying to do it in the most fair way we can imagine.
First of all, the snapshot that will be used to get all the RADS and sRADS data will be at 1:00am UTC. We chose to use one a bit after the beginning of the attack, to be sure to reward users more rather than less.
➡️ You will be able to swap all of your RADS, no matter when they were bought.
➡️ All of them will have a 1:1 ratio with the v2 RADS
➡️ Among the RADS you will swap, those that you were holding before the snapshot will be swapped with a 10% bonus (1:1.1 ratio).
RADS Pool :
➡️ From all our users, the ones that were probably the most impacted were those in the RADS pool since their funds were completely stolen. That’s why we definitely had to find a special kind of compensation for them.
➡️ RADS staked in the RADS Pool will be refunded with v2 RADS (1:1 ratio) and the concerned users will also get bonus sRADS at a 1:0.1 ratio.
➡️ sRADS will be swappable to v2 sRADS to a 1:1 ratio. You won’t be able to swap any of the sRADS that were harvested after the snapshot.
Panic sellers :
➡️ We fully understand that some of you sold after learning about the exploit, and may have some regrets now. But there is no way for us to check the benefits/losses from every transaction from every panic seller.
Some have asked us to send them back the funds they had before the attack, but we clearly can’t consider it. Some took losses, but still a lot took profits in the operation, and it definitely wouldn’t be fair to give them back what they already sold to the other users.
Panic seller following to the « donkeybonkey » Uranium support message :
➡️ This case is a problematic one, since someone from our telegram team pinned a message stating that someone was minting rewards, and that users should sell as soon as possible. He misunderstood what was going on and his statement was wrong. But he did what he thought were the best for all of you, while the developers were having some sleep, and couldn’t answer his questions, so we definitely won’t blame him for this.
However, we will try to compensate this issue, at least a bit.
For those having sold from the moment the message was pinned (6:27am UTC), until 30 minutes after (6:57am UTC), we invite you to fill with your txid(s) this google form: https://forms.gle/2ZiCaBzQCohYCjfb6 . You will receive a compensation in the form of a v2 RADS airdrop. The exact amount is still to be set, and this will be have to be a manual process, so we won’t be able to deliver it before the launch of the v2. But we definitely won’t let it go as it is.
Pending rewards :
➡️ Pending rewards are lost. Some of you have lost several hours of farming and we apologize for this. We thought about everything we can, but we just have any way to get the needed information. After the exploit, we clearly explained that it was useless to farm, but in the midst of confusion, it wasn’t always easy to be fully understood.
Some examples :
Carl is a holder, he had 30 RADS :
20 RADS bought before the snapshot and 10 after the snapshot. He was a holder, he will get
20+2 RADS V2 and 10+0 RADS V2 so 32 RADS V2
Sofia had 10 RADS and 20 sRADS :
Her rads were in the RADS/BNB LP.
sRADS were in her wallet in order to get dividends. She already minted 14 sRADS before the snapshot, and then she minted 6 sRADS before removing liquidity as the team advised.
She will get 10 RADS V2 and 14 sRADS V2.
Michael had 800 RADS and 600 sRADS :
After the exploit, price were droping so he swapped his sRADS for RADS and he sold all his RADS. He just took his profits.
Oscar had 65 RADS he bought before the hack and he was stacking them in the RADS pool.
He did not harvest since few hours and had 0.8 RADS to harvest before the exploit. During the 24 hours until the end of the farming he was farming plenty of RADS but, has announced it will be impossible to harvest these RADS.
He will get 65 RADS V2 and 6.5 sRADS V2.
Now that the damage is done, and that the compensation plan is set, we know that the only way to redeem ourselves in the eye of our investors if by providing a v2 strong enough to get back to where it was.
Even during those tough times, we received a lot of words of trust and encouragements, and that has really been fuel for us in order to correctly bounce back with the v2.
We still strongly believe that our model can be a new paradigm in the DeFI world, and that all of those that keep trusting us even in those dark times will definitely be rewarded !
Please, be very attentive to all our messages on the different social networks:
English Telegram: https://t.me/uraniumfinance
Mandarin Telegram: https://t.me/UraniumFinance_CN
Announcements channel : https://t.me/uraniumfinanceann