Our priority was the recovery of the site. We wanted to ensure that:
- The community knew there was hope
- All exploits, across the HEN frontend, contract, and infrastructure were identified
- The contract wasn't able to remove content
- The data on IPFS was mirrored
Looking at the Twitter, #Tezos was trending with posts about "RIP HEN". People were concerned.
The general consensus was that "HEN is decentralized and anyone can simply deploy a new instance. It is safe."
Unfortunately, that is a mostly wrong statement. We found a number of issues with how HEN is built. We identified several exploits and vulnerabilities over the w-e.
HEN's NFTs are mostly pinned on a single Infura instance. Based on our research, only ~10% of NFTs have *any mirroring*.
This is very alarming. We have just completed a migration of those NFTs to @pinatacloud.
It took 36 hours, 1.4M unique CID, and 4Tb of data.
We identified several risks with the HEN contracts
A good example of the problem would be that only the owner could change the fee, and that fee couldn't be changed to 0%.
One of the highlight bugs is that unrevoked site permissions enable the contract to control a user's NFT.
In practice, if you use a malicious instance of HEN, the owners could easily take control of the NFT.
The quickest fix for now is to stick to an instance like .art.
Unlike Web2, #web3 makes it important to get the architecture right.
You have to manage the interfaces between each system. How the contract interacts with the site, how the infrastructure gets queried by the site.
It's a lot more than simply cloning a repo, and can fall apart.
One cause of concern is that in spite of how easy it would have been to setup new instances, no one besides @TezTools had stepped up. Other marketplaces can easily help HEN and its community, and help mitigate these risks. We had to step in to make sure DNS wouldn't be affected.
HEN is safe, but there is a significant amount of refactoring ahead.
We have mirrored of the IPFS data on @pinatacloud, so the NFTs assets are safe. This was expensive and we'll work with the Tezos Community to make it work.
The biggest risks are behind us though.
In the meantime, we encourage everyone in the community to use the instances that are marked as safe:
Tezos has a thriving #NFT ecosystem, with lots of new platforms: @hicetnunc2000 for single and multi editions @objktcom for has 10k collections @kalamint_io has lots of featured artists