A few hours ago a hacker was able to steal around 9M IMX from a few wallets controlled by the team. We have already taken precautions to minimize damage and have a recovery plan to get back on track. The protocol is safe and user’s funds are unaffected by the attack.
We’re asking to users to not trade IMX, and to IMX LPs to withdraw their liquidity from the market, until further announcement.
The incident A few hours ago, around 5PM UTC of July 16th, a hacker was able to steal the private key of a few of the Impermax team’s wallets. We immediately noticed attack and did our best to transfer assets out of the affected wallets, but the hacker was still able to run away with most of the protocol owned liquidity and a large number of IMX.
There are the hacker’s addresses: 0x8e430d8388d44e30f8e612708d59cf9d832daac2 0x64e5ac2e59ccd85c02dede27d290f16d0ed5bf24 0x1d2677ed1b0815fab22368347723551a9dd1fb1b
Actions taken to minimize damage After the hacker stole the funds, he didn’t sell IMX immediately. We knew that given the stolen amount, if he dumped all his tokens in the market the price would have gone near to 0. This would have drained liquidity and LPs would have been at great loss. Therefore, we’ve decided to frontrun the hacker by dumping a large number of tokens in the market before he could do anything. By doing this we were able to secure a part of the LPs funds that will be refunded to them in the coming weeks. Additionally, since the hacker was holding a large part of the market liquidity, through the frontrun we were also able to get some funds back from the hacker.
The protocol is safe As expected, Impermax lending protocol is completely unaffected by this. If you were lending, borrowing, or leveraging on Impermax you can keep doing this as if nothing happened. This is because the attack was caused by a stolen private key, and not by a bug in the smart contracts. Since Impermax is permissionless and non-upgradable, these kind of attacks don’t affect what’s happening on the protocol.
Recovery plan While the protocol is completely unaffected, the same cannot be said of the governance token. To solve this we’re planning to do a token swap which will be based on a snapshot taken before the incident happened. A new token will be created to replace IMX and will be distributed to previous IMX holders.
The snapshot will include everyone who was holding IMX in any possible way at that time (including LPing, lending, staking, etc). We will make sure that everyone receives what he’s owed.
The details of the token swap are yet to be defined. While this situation is certainly very sad and frustrating, at the same time we can take this as the chance to improve and restart stronger than ever. A token swap gives us the opportunity to improve previous flaws in the tokenomics (for instance ticker name, cross-chain compatibility, farming reward distribution etc..). We’re currently having an open discussion with the community in our discord in the #token-swap channel. If you have any idea or suggestion you’re invited to participate!