On 2023-11-13, an unencrypted file containing the Art Blocks deployer wallet private key was accidentally uploaded to a public GitHub repository. The file also contained some other sensitive information, including some API keys.
Note: The deployer wallet is the wallet used to deploy smart contracts that are used within the Art Blocks ecosystem. It is entirely separate from any Art Blocks Admin wallet(s), which follow industry best-practices such using multi-sig wallets to ensure that no single EOA can be used to make changes to the Art Blocks ecosystem.
Concretely, the following deployer wallet was affected, and is now considered compromised:
0xB8559AF91377e5BaB052A4E9a5088cB65a9a4d63
The wallet has been replaced with a new wallet:
0x00df4E8d293d57718aac0B18cBfBE128c5d484Ef
While our smart contract system was designed to be resistant to major damages after leaked deployer keys, some damages were incurred. They included:
- Loss of 1.5 ETH/WETH directly from the deployer wallet
- Loss of approximately 6.2 ETH of funds that Art Blocks was not aware of prior to the incident.
Outside of the damages listed above, no other damages were observed. The deployer wallet was quickly rotated, and the API keys were revoked.
The root cause of the incident was an insecure process for managing sensitive deployer wallet private key information. The problematic process was identified in Q3 2023, and a plan was in place to address it in Q4 2023, but it was not yet implemented at the time of the incident.
In response to the incident, Art Blocks was able to quickly rotate the deployer wallet and revoke the API keys. This included MEV bundles to rotate any minor priviliged roles assigned to the deployer wallet.
Art Blocks has taken steps to improve its security posture, including:
- Updating our process to only allow storing encrypted wallet files when storing sensitive wallet information
- Improving our monitoring of smart contract activity to reduce the time to detection of unauthorized transactions or activity
- Creating a security incident response plan to help maintain organized and effective responses to future incidents
- Creating a new artblocks-security GitHub repository to store security-related documentation and processes, as well as to provide a central location for reporting security disclosures
- 2023-11-13: The unencrypted file was accidentally uploaded to a public GitHub repository
- 2023-11-13: The file was observed by malicious third party(ies) and the deployer wallet was drained
- 2023-11-15: Art Blocks became aware of the incident due to an unexpected zero-balance and began investigating
- 2023-11-15: Art Blocks identified the root cause of the incident and began rotating to a new deployer wallet and revoking API keys
- 2023-11-15: Art Blocks completed the rotation of the deployer wallet and revocation of API keys
- 2023-11-16: Art Blocks continued to investigate the incident and work with partners to ensure any off-chain vulnerabilities were addressed
- 2023-12-12: Art Blocks completed internal post-mortem activities, confirmed resolution of all remaining action-items, and began drafting this incident disclosure because no further actions were required to prevent further damages
None