This weekend, our team worked together with @Manitcor from @TezTools, @mycodecrafting, and the @pinatacloud team to bring @hicetnunc2000 back online.
This was a watershed moment in #Web3. Here is an extensive technical deep dive at the steps we took.
blog.dns.xyz/a-technical-de…
🧵
This was a watershed moment in #Web3. Here is an extensive technical deep dive at the steps we took.
blog.dns.xyz/a-technical-de…
🧵
Our priority was the recovery of the site. We wanted to ensure that:
- The community knew there was hope
- All exploits, across the HEN frontend, contract, and infrastructure were identified
- The contract wasn't able to remove content
- The data on IPFS was mirrored
- The community knew there was hope
- All exploits, across the HEN frontend, contract, and infrastructure were identified
- The contract wasn't able to remove content
- The data on IPFS was mirrored
Looking at the Twitter, #Tezos was trending with posts about "RIP HEN". People were concerned.
The best response was to go on Twitter Spaces and give people updates and reassurance in real-time.
https://twitter.com/jeremydfisher/status/1458928653295755269
The best response was to go on Twitter Spaces and give people updates and reassurance in real-time.
Giving people realtime feedback was a blessing. We had 250 people able to relay news of our progress to the whole community.
We were able to share our ideas about the recovery, get votes on the domain name. We collaborated on the call to consider the risks and next steps.
We were able to share our ideas about the recovery, get votes on the domain name. We collaborated on the call to consider the risks and next steps.
This was one of the largest #web3 coordinated recovery efforts.
It's what web3 and realtime collaboration enable, that web2 doesn't: full portability, full interoperability, driven by the community.
We feel like @j_u_s__ti_n identified this perfectly:
It's what web3 and realtime collaboration enable, that web2 doesn't: full portability, full interoperability, driven by the community.
We feel like @j_u_s__ti_n identified this perfectly:
https://twitter.com/j_u_s__ti_n/status/1459032744806293504
The general consensus was that "HEN is decentralized and anyone can simply deploy a new instance. It is safe."
Unfortunately, that is a mostly wrong statement. We found a number of issues with how HEN is built. We identified several exploits and vulnerabilities over the w-e.
Unfortunately, that is a mostly wrong statement. We found a number of issues with how HEN is built. We identified several exploits and vulnerabilities over the w-e.
HEN's NFTs are mostly pinned on a single Infura instance. Based on our research, only ~10% of NFTs have *any mirroring*.
This is very alarming. We have just completed a migration of those NFTs to @pinatacloud.
It took 36 hours, 1.4M unique CID, and 4Tb of data.
This is very alarming. We have just completed a migration of those NFTs to @pinatacloud.
It took 36 hours, 1.4M unique CID, and 4Tb of data.
We identified several risks with the HEN contracts
A good example of the problem would be that only the owner could change the fee, and that fee couldn't be changed to 0%.
A good example of the problem would be that only the owner could change the fee, and that fee couldn't be changed to 0%.
https://twitter.com/_ufffd/status/1459638201312690176
One of the highlight bugs is that unrevoked site permissions enable the contract to control a user's NFT.
In practice, if you use a malicious instance of HEN, the owners could easily take control of the NFT.
The quickest fix for now is to stick to an instance like .art.
In practice, if you use a malicious instance of HEN, the owners could easily take control of the NFT.
The quickest fix for now is to stick to an instance like .art.
Unlike Web2, #web3 makes it important to get the architecture right.
You have to manage the interfaces between each system. How the contract interacts with the site, how the infrastructure gets queried by the site.
It's a lot more than simply cloning a repo, and can fall apart.
You have to manage the interfaces between each system. How the contract interacts with the site, how the infrastructure gets queried by the site.
It's a lot more than simply cloning a repo, and can fall apart.
One cause of concern is that in spite of how easy it would have been to setup new instances, no one besides @TezTools had stepped up. Other marketplaces can easily help HEN and its community, and help mitigate these risks. We had to step in to make sure DNS wouldn't be affected.
HEN is safe, but there is a significant amount of refactoring ahead.
We have mirrored of the IPFS data on @pinatacloud, so the NFTs assets are safe. This was expensive and we'll work with the Tezos Community to make it work.
The biggest risks are behind us though.
We have mirrored of the IPFS data on @pinatacloud, so the NFTs assets are safe. This was expensive and we'll work with the Tezos Community to make it work.
The biggest risks are behind us though.
In the meantime, we encourage everyone in the community to use the instances that are marked as safe:
https://twitter.com/hen_community/status/1459149507845840897
We are very proud of the work our team, @TezTools, @mycodecrafting and @pinatacloud were able to turn around in two days.
HicEtNunc.art is now transferred to the @hen_community.
We are turning our focus back on DNS. Wait until you see what we can do in a few weeks!
HicEtNunc.art is now transferred to the @hen_community.
We are turning our focus back on DNS. Wait until you see what we can do in a few weeks!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
